General

  • Target

    cancel_sub_JPL12345678901234.xlsb

  • Size

    241KB

  • Sample

    210518-y1e2nhs97e

  • MD5

    b4a0b38ff2bd7619e42c0f1d1fb0171b

  • SHA1

    c0e61bcc7139bc2342e5a9eb9a2bc056c475624d

  • SHA256

    3cc4948d4d3cac89a74284ae4dc49d177b834f295e9f767a46dcd73726b7239d

  • SHA512

    8830468a4f8ee1032abe7ede05fdc11fb592355c81447bf0d65b995a6d6a55fc399025084bb74bb7f4b52a14ee7a2ea79a2100480222c1da95e19b3b4a59cff5

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      cancel_sub_JPL12345678901234.xlsb

    • Size

      241KB

    • MD5

      b4a0b38ff2bd7619e42c0f1d1fb0171b

    • SHA1

      c0e61bcc7139bc2342e5a9eb9a2bc056c475624d

    • SHA256

      3cc4948d4d3cac89a74284ae4dc49d177b834f295e9f767a46dcd73726b7239d

    • SHA512

      8830468a4f8ee1032abe7ede05fdc11fb592355c81447bf0d65b995a6d6a55fc399025084bb74bb7f4b52a14ee7a2ea79a2100480222c1da95e19b3b4a59cff5

    Score
    10/10
    • Nloader

      Simple loader that includes the keyword 'campo' in the URL used to download other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Nloader Payload

    • Blocklisted process makes network request

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks