NLPV.509GmbH.xlsm

General
Target

NLPV.509GmbH.xlsm

Size

177KB

Sample

211014-fvblqsgbdj

Score
10 /10
MD5

6e75c56863ea4ab6258b772bd35c6136

SHA1

3936c220b3a5d2a61c4125f153e2ff60e8c17ae9

SHA256

033fdf937a1c21b3c1b554193b98349d6dee6501eec1aa8fe4ed5ae703399be1

SHA512

eea2fef19a8f01d61554537a3e4b9f053aab8609734fbc3b4109cf49ae66bf27a24f9a99db3bd0d268d741fb43a47dc6a180be4de843073e9a66dfca907797e8

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

http://samlighter.com/Loveday.exe

Targets
Target

NLPV.509GmbH.xlsm

MD5

6e75c56863ea4ab6258b772bd35c6136

Filesize

177KB

Score
10 /10
SHA1

3936c220b3a5d2a61c4125f153e2ff60e8c17ae9

SHA256

033fdf937a1c21b3c1b554193b98349d6dee6501eec1aa8fe4ed5ae703399be1

SHA512

eea2fef19a8f01d61554537a3e4b9f053aab8609734fbc3b4109cf49ae66bf27a24f9a99db3bd0d268d741fb43a47dc6a180be4de843073e9a66dfca907797e8

Signatures

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Tasks

                      static1

                      8/10

                      behavioral1

                      10/10

                      behavioral2

                      10/10