Overview

overview

10

Static

static

8

Cancellati...21.xls

windows7-x64

10

Cancellati...21.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    640a91f196f3e0e14674fc22ecce5aa7958d392450c6ea5889db1067896d922d

  • Size

    53KB

  • Sample

    230129-x2z2cacb4t

  • MD5

    feacb5a5821e4135361be63a220132fa

  • SHA1

    4c13caa369b1561286e5c1e98392866590a1ca43

  • SHA256

    640a91f196f3e0e14674fc22ecce5aa7958d392450c6ea5889db1067896d922d

  • SHA512

    efd86b694264314583be6d57efdbac58d89762ce8723ff35c885d10c4f3e588621e2e76ab55c1a38ba68ecf39c5e93adec5ecfdbd0768bc82fc7842225f9ee95

  • SSDEEP

    1536:iY2ECmlI+PqyhWzmMrH3lZbVz6EIKaVCi:b2ECqI+PThWjrH1ZxOEYQi

Score
10/10
macroxlm

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://sumonpro.xyz/nseoqnwbbvmc/44955850889583300000.dat
xlm40.dropper

http://vngkinderopvang.nl/rmyjq/44955850889583300000.dat
xlm40.dropper

http://stadt-fuchs.net/gwixglx/44955850889583300000.dat
xlm40.dropper

http://hdmedia.pro/noexyryqori/44955850889583300000.dat
xlm40.dropper

http://www.fernway.com/xjhuljbqv/44955850889583300000.dat

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://sumonpro.xyz/nseoqnwbbvmc/44955848520486100000.dat
xlm40.dropper

http://vngkinderopvang.nl/rmyjq/44955848520486100000.dat
xlm40.dropper

http://stadt-fuchs.net/gwixglx/44955848520486100000.dat
xlm40.dropper

http://hdmedia.pro/noexyryqori/44955848520486100000.dat
xlm40.dropper

http://www.fernway.com/xjhuljbqv/44955848520486100000.dat

Targets

    • Target

      Cancellation_Letter_1890704928-02242021.xls

    • Size

      143KB

    • MD5

      0d77e619d3652249d3424f46650d85b5

    • SHA1

      62983f38e8a5275e3ac30f8a76e8886291c6fd7a

    • SHA256

      e6ea08afb1528f524fd091fae173be6aec7d4a02ea13725c547314df7dceff4d

    • SHA512

      9fd82d78380816b481b3eb1f1108832e098ce9286e3cc62a7a11931fbdf4047e5ca13023bf4618b5a4f7674b88197eadc1100e81a9965a18c1bda356767182a8

    • SSDEEP

      3072:6cPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMFt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/v:6cPiTQAVW/89BQnmlcGvgZ7r3J8YUOMK

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks