Overview

overview

10

Static

static

8

3952.xlsm

windows7_x64

10

3952.xlsm

windows10_x64

7

Resubmissions

14-03-2021 22:55

210314-13c6hw62za 8

14-03-2021 22:03

210314-lv2kdby9vx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3952.xlsm.zip

  • Size

    23KB

  • Sample

    210314-lv2kdby9vx

  • MD5

    a69f6fd9c508d1dd139c838b476ed55f

  • SHA1

    36b159024a0442ae2ee8da7a6852150d112263ba

  • SHA256

    1cf56cb4154e8d0ac4ac72fc7b5ec85627040c5c8f3af3adec61e83bb3cf71ec

  • SHA512

    fafa59c11c898643a9ad44605bf39ba94150a82fff8d0b3bde09c57674ae103ea9e54e46ed060bbd366a478816294feb5f438d68487a14a588b183771f285542

Score
10/10
macroxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://catedraloor.com/server.php
xlm40.dropper

https://fernandogaleano.com/server.php

Targets

    • Target

      3952.xlsm

    • Size

      25KB

    • MD5

      3e171388734cd76415b35beebaf35dc8

    • SHA1

      6c12e129fedce3b929cd684b338fca55f4c0f68b

    • SHA256

      45e10a76f4162773e2456f75a1781729aa203600be5b041e17e31a4d9ac415f8

    • SHA512

      959293bb33adee979eeaa77b5c08676f1de58b0cd2d81e52e292002454d8993eca8b315f2c2614595f3a6ccd290e0f68e6bca6c0d5c9b7cea4b7633432705daf

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes itself

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks