Overview

overview

10

Static

static

8

_____.xls

windows7_x64

10

_____.xls

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    _____.xls.zip

  • Size

    145KB

  • Sample

    210312-x4rjgt9rcx

  • MD5

    197feed99f7e959f5e2b756b03fcf314

  • SHA1

    8b9b5e9185b8ce9ee4ae7ae7f59c01121d932545

  • SHA256

    006c3eedb21ea1f0499fb3b9624b3f104bd0223f9bd1f84b4017e8e60f9da3c0

  • SHA512

    863a2c016814e2c780e58fc467f66818f0041af664feea62065acd6244fdf5a7a0c52539e669b6ef917cc3b91d64dc412d02975a1f705e9e033e22ad562d2f8e

Score
10/10
nloaderloadermacroxlm

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      _____.xls

    • Size

      153KB

    • MD5

      cb5a37aac155775daed9abcfd680f39c

    • SHA1

      75cfc87fe3f6f517e684729a558358fd5d492599

    • SHA256

      426edb65615875c5f8fd31118142f0b3d2e29b360a7995d69d58803e61c1f81e

    • SHA512

      cd12773f8a606b0e04e7e02f4b8f1abab1c8efb13008ee6134771954c857f32df6dfd7f74b5a43d206eae40ceac4219e09910c22918a02f2a57e95f747d9b39f

    Score
    10/10
    nloaderloader

    • Nloader

      Simple loader that includes the keyword 'cambo' in the URL used to download other families.

      loadernloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Nloader Payload

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks