Overview

overview

10

Static

static

8

order_Z001...5.xlsb

windows7_x64

10

order_Z001...5.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    order_Z0012112202927225.xlsb.zip

  • Size

    285KB

  • Sample

    210428-xpdg96jaln

  • MD5

    d74e49be4cb3907cf2704deb46b896ab

  • SHA1

    62322b1d4d7a9013caa109eb69b06f672138f926

  • SHA256

    b8a21d119eb9180441ad0dd33bb760e3ca924a58ef78e7ec39fd24f2362e72f0

  • SHA512

    8a0bc031f63a48e6fc2fe146bb88a20004b5815b0346c89e88cdf950ac5f9185feb0972759484c3e8f1a05bb7c41a5e37920ff993664ff7593ba150f2254f27f

Score
10/10
nloaderloadermacroupxxlm

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      order_Z0012112202927225.xlsb

    • Size

      306KB

    • MD5

      7e00f1f0fabe5bf5404589000e61a9af

    • SHA1

      9429673fccc8b550a21ea9582c958f8772497b64

    • SHA256

      39d99432698540f5ea6b8acf77b2323e2cde143638694bbd726e161924885059

    • SHA512

      10faa2e7df209ae1f42be832b56af639769657068165b908e3d13a79c1df460c860b6a3fdfb4c0bb58e36f29104f21a3d218d568f88a1c895601e8a0319a6589

    Score
    10/10
    nloaderloaderupx

    • Nloader

      Simple loader that includes the keyword 'campo' in the URL used to download other families.

      loadernloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Nloader Payload

    • Blocklisted process makes network request

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks