General

  • Target

    cancel_sub_JPL12345678901234.xlsb

  • Size

    260KB

  • Sample

    210519-hce37drhmx

  • MD5

    80fdec003c86c583473a9fbbabf40d2f

  • SHA1

    991940040a50a0be56572e4a9ab73d6d4dbab050

  • SHA256

    49e315aa89bf10972518c3069a767c869bbf7027c298afd11ab21040285b3f9e

  • SHA512

    022475db6593d15bdcc1411f7c3b88a8822311f621506401ad3ba33ddc2a52ae6e97e4357e3742bf59ef287c033f5363cb5d2021be793d5552a3a8b73b85cfa5

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      cancel_sub_JPL12345678901234.xlsb

    • Size

      260KB

    • MD5

      80fdec003c86c583473a9fbbabf40d2f

    • SHA1

      991940040a50a0be56572e4a9ab73d6d4dbab050

    • SHA256

      49e315aa89bf10972518c3069a767c869bbf7027c298afd11ab21040285b3f9e

    • SHA512

      022475db6593d15bdcc1411f7c3b88a8822311f621506401ad3ba33ddc2a52ae6e97e4357e3742bf59ef287c033f5363cb5d2021be793d5552a3a8b73b85cfa5

    Score
    10/10
    • Nloader

      Simple loader that includes the keyword 'campo' in the URL used to download other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Nloader Payload

    • Blocklisted process makes network request

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks