c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907 | Triage

Submit
Reports

Overview

overview

Static

static

8

c5705ba72b...07.xls

windows7-x64

c5705ba72b...07.xls

windows10-2004-x64

Sharing

General

Target

c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907
Size

44KB
Sample

240705-z6j7sswcpr
MD5

7dbf295fd3e9472f4786d5fb25f7698e
SHA1

d67d5e5f26e1b203f36e108c2149484772296f54
SHA256

c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907
SHA512

2d482cc0ae7effb4ab35df8495577280df60ea6ff48eca7a90c51994d3291bf1c8c07afb6c0697a8ca68b7ebc540a9df717c47fc17cae4a13992c99f1e66d670
SSDEEP

768:Otvo2+jk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJdeFWkuF6mQQcMQJ9acD9acyL:uWk3hbdlylKsgqopeJBWhZFGkE+cL2Ni

Score

10^/10

execution macro macro_on_action

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907.xls

Resource

win7-20240221-en

windows7-x64

14 signatures

60 seconds

Behavioral task

behavioral2

Sample

c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907.xls

Resource

win10v2004-20240704-en

windows10-2004-x64

14 signatures

60 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://raw.githubusercontent.com/enigma0x3/Generate-Macro/master/Generate-Macro.ps1

Targets

- Target
  
  c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907
- Size
  
  44KB
- MD5
  
  7dbf295fd3e9472f4786d5fb25f7698e
- SHA1
  
  d67d5e5f26e1b203f36e108c2149484772296f54
- SHA256
  
  c5705ba72ba0827f49c4f42fda991076724c50f9ddb952a4bcab5d290218d907
- SHA512
  
  2d482cc0ae7effb4ab35df8495577280df60ea6ff48eca7a90c51994d3291bf1c8c07afb6c0697a8ca68b7ebc540a9df717c47fc17cae4a13992c99f1e66d670
- SSDEEP
  
  768:Otvo2+jk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJdeFWkuF6mQQcMQJ9acD9acyL:uWk3hbdlylKsgqopeJBWhZFGkE+cL2Ni
Score

10^/10

execution
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

© 2018-2024

Terms | Privacy