fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836 | Triage

Submit
Reports

Overview

overview

Static

static

8

fd57d9f655...36.xls

windows7-x64

fd57d9f655...36.xls

windows10-2004-x64

Sharing

General

Target

fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836
Size

35KB
Sample

240705-z5qcesycnd
MD5

aca54b228c3c6ca8b083c44407d03264
SHA1

bc8b2f0074a04c79225a6de5e933360e51265f18
SHA256

fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836
SHA512

35e6dcf1084ab519243e7ea34ff59e77e839b7184dfc871d5a21729b424b472baeac81f4320db9b9db90f8ef03793121c08f8a1183d1b53dd6d92bd43017aa0e
SSDEEP

768:HtvoegUk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ2z2UWOd93:H5k3hbdlylKsgqopeJBWhZFGkE+cL2Nf

Score

10^/10

execution macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836.xls

Resource

win7-20240220-en

windows7-x64

15 signatures

60 seconds

Behavioral task

behavioral2

Sample

fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836.xls

Resource

win10v2004-20240704-en

windows10-2004-x64

14 signatures

60 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

- Target
  
  fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836
- Size
  
  35KB
- MD5
  
  aca54b228c3c6ca8b083c44407d03264
- SHA1
  
  bc8b2f0074a04c79225a6de5e933360e51265f18
- SHA256
  
  fd57d9f65551c35df28e4afdc7150ac69678cd2daedb0187c2645de435e97836
- SHA512
  
  35e6dcf1084ab519243e7ea34ff59e77e839b7184dfc871d5a21729b424b472baeac81f4320db9b9db90f8ef03793121c08f8a1183d1b53dd6d92bd43017aa0e
- SSDEEP
  
  768:HtvoegUk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJ2z2UWOd93:H5k3hbdlylKsgqopeJBWhZFGkE+cL2Nf
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2024

Terms | Privacy