General

  • Target

    cancel_sub_JPL12345678901234.xlsb

  • Size

    267KB

  • Sample

    210519-h78s2ezea6

  • MD5

    21a57dbd1dad6aec8edbbaeddabac81b

  • SHA1

    f20bdcb3970bc9fabfff60628a71cfe318d4efe9

  • SHA256

    42aeef1b5f9d53105bd3d9076b7634e1eed53f89c9e3577426f4c51441e4fca4

  • SHA512

    a2339ff6347d6d3dff885b8317de5a87df589462052ac2c6dc8fb09715aca149379bc7e71e7c1ba2ccae976e7d0d4d1790971db6dc92b57ab35810953bc73563

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      cancel_sub_JPL12345678901234.xlsb

    • Size

      267KB

    • MD5

      21a57dbd1dad6aec8edbbaeddabac81b

    • SHA1

      f20bdcb3970bc9fabfff60628a71cfe318d4efe9

    • SHA256

      42aeef1b5f9d53105bd3d9076b7634e1eed53f89c9e3577426f4c51441e4fca4

    • SHA512

      a2339ff6347d6d3dff885b8317de5a87df589462052ac2c6dc8fb09715aca149379bc7e71e7c1ba2ccae976e7d0d4d1790971db6dc92b57ab35810953bc73563

    Score
    10/10
    • Nloader

      Simple loader that includes the keyword 'campo' in the URL used to download other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Nloader Payload

    • Blocklisted process makes network request

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks