c54efb7b84413ba1c60e6fb6975ba4a87cb1ee05ea5aa3281bc8347e56dd7aed

Sharing

Copy URL

Twitter E-mail

General

Target

c54efb7b84413ba1c60e6fb6975ba4a87cb1ee05ea5aa3281bc8347e56dd7aed
Size

44KB
Sample

240705-z28dtsycjd
MD5

6b25785c651f92b59f91d0a3d881cc54
SHA1

1f10f11c229aeebf857f9021c8721c3c3adb01ab
SHA256

c54efb7b84413ba1c60e6fb6975ba4a87cb1ee05ea5aa3281bc8347e56dd7aed
SHA512

4cb34598285573d3f0dc7c4277512fdc83dab5ab3fa12466536f4863afec0498555587a1194ce1033501a350a959b5ed09ec96f5eb509d59939989a6af9d5124
SSDEEP

768:Jtvo2+jk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJdeFWkuF6mQQcMQJ9acD9acyL:BWk3hbdlylKsgqopeJBWhZFGkE+cL2Ni

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

- Target
  
  c54efb7b84413ba1c60e6fb6975ba4a87cb1ee05ea5aa3281bc8347e56dd7aed
- Size
  
  44KB
- MD5
  
  6b25785c651f92b59f91d0a3d881cc54
- SHA1
  
  1f10f11c229aeebf857f9021c8721c3c3adb01ab
- SHA256
  
  c54efb7b84413ba1c60e6fb6975ba4a87cb1ee05ea5aa3281bc8347e56dd7aed
- SHA512
  
  4cb34598285573d3f0dc7c4277512fdc83dab5ab3fa12466536f4863afec0498555587a1194ce1033501a350a959b5ed09ec96f5eb509d59939989a6af9d5124
- SSDEEP
  
  768:Jtvo2+jk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJdeFWkuF6mQQcMQJ9acD9acyL:BWk3hbdlylKsgqopeJBWhZFGkE+cL2Ni
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2