Overview

overview

10

Static

static

8

cancel_sub...4.xlsb

windows7_x64

10

cancel_sub...4.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cancel_sub_JPL12345678901234.xlsb.zip

  • Size

    218KB

  • Sample

    210519-y2kz3esn76

  • MD5

    fbcf88c7c823f370069c4556f9dd7c91

  • SHA1

    5577945b974ea6335fcc37ea80e708cb4295224e

  • SHA256

    2abe5df892b139bb3f88019ac0f5b2856c6dd853362dc2f723292fe8d33619c1

  • SHA512

    9e8790e89ef5b2ee54b6396ae87e4e344891da636f41d446b6f70d4d6a55ee1555da1256ccef3d521a4cb63b202eb7bcbb24068ef0ff9e42673573ee8d9ddbe3

Score
10/10
nloaderloadermacroxlm

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      cancel_sub_JPL12345678901234.xlsb

    • Size

      241KB

    • MD5

      b4a0b38ff2bd7619e42c0f1d1fb0171b

    • SHA1

      c0e61bcc7139bc2342e5a9eb9a2bc056c475624d

    • SHA256

      3cc4948d4d3cac89a74284ae4dc49d177b834f295e9f767a46dcd73726b7239d

    • SHA512

      8830468a4f8ee1032abe7ede05fdc11fb592355c81447bf0d65b995a6d6a55fc399025084bb74bb7f4b52a14ee7a2ea79a2100480222c1da95e19b3b4a59cff5

    Score
    10/10
    nloaderloader

    • Nloader

      Simple loader that includes the keyword 'campo' in the URL used to download other families.

      loadernloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Nloader Payload

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks