Overview

overview

10

Static

static

Bill of Lading.xlsm

windows7_x64

10

Bill of Lading.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bill of Lading.xlsm

  • Size

    52KB

  • Sample

    200710-whybwqbnrj

  • MD5

    0cac1b783270081d56ad48554de3d0e8

  • SHA1

    2afa117869dfb3cbf34979e2d01dd64de663e9a9

  • SHA256

    0eeac411948772d2f29c4ed276d4f4419e17ab82762afb7d33ebd28ca00f6fa6

  • SHA512

    10e9cf38b7ec171e1b442571c538288b09994e2226f58dda8e66d6e990fefae9f01499890f72445a54e3b8fdc4a1a2e31c83d6e1d01d2f74d32eb88c35d48983

Score
10/10
persistence

Malware Config

Targets

    • Target

      Bill of Lading.xlsm

    • Size

      52KB

    • MD5

      0cac1b783270081d56ad48554de3d0e8

    • SHA1

      2afa117869dfb3cbf34979e2d01dd64de663e9a9

    • SHA256

      0eeac411948772d2f29c4ed276d4f4419e17ab82762afb7d33ebd28ca00f6fa6

    • SHA512

      10e9cf38b7ec171e1b442571c538288b09994e2226f58dda8e66d6e990fefae9f01499890f72445a54e3b8fdc4a1a2e31c83d6e1d01d2f74d32eb88c35d48983

    Score
    10/10
    persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Adds Run entry to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks