Overview

overview

10

Static

static

8

maldoc.xls

windows7_x64

10

maldoc.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    maldoc.xls

  • Size

    293KB

  • Sample

    210505-nge27vhwz6

  • MD5

    3a53da03a882458b32904991b479b7bd

  • SHA1

    27da495de0fb5488c972eb762bc1c6d77baea804

  • SHA256

    6c6ce2ca3d8f6796017905c5a41899cb2e99bf0aa190ed69de81363d314e52b9

  • SHA512

    b3a5523fb3d8edc54b3a5a97cc55f19d4fbd220e1f40c8ebe9d2948c5fd2a9fc78dac669a55dcd9a58e9f9c417dc7aa09e800badeb3781a9d920d894f90946a1

Score
10/10
macropersistencexlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://atlantisprojects.ca/cheryasd.dll

Targets

    • Target

      maldoc.xls

    • Size

      293KB

    • MD5

      3a53da03a882458b32904991b479b7bd

    • SHA1

      27da495de0fb5488c972eb762bc1c6d77baea804

    • SHA256

      6c6ce2ca3d8f6796017905c5a41899cb2e99bf0aa190ed69de81363d314e52b9

    • SHA512

      b3a5523fb3d8edc54b3a5a97cc55f19d4fbd220e1f40c8ebe9d2948c5fd2a9fc78dac669a55dcd9a58e9f9c417dc7aa09e800badeb3781a9d920d894f90946a1

    Score
    10/10
    persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks