詳細情報.xlsb

General
Target

詳細情報.xlsb

Filesize

153KB

Completed

12-03-2021 04:47

Score
10 /10
MD5

cb5a37aac155775daed9abcfd680f39c

SHA1

75cfc87fe3f6f517e684729a558358fd5d492599

SHA256

426edb65615875c5f8fd31118142f0b3d2e29b360a7995d69d58803e61c1f81e

Malware Config

Extracted

Language xlm4.0
Source
Signatures 12

Filter: none

Defense Evasion
Discovery
  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Process spawned unexpected child process
    certutil.exerundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process16121856certutil.exeEXCEL.EXE
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process17721856rundll32.exeEXCEL.EXE
  • Nloader Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1772-13-0x00000000001C0000-0x00000000001C9000-memory.dmpnloader
    behavioral1/memory/1772-14-0x0000000010000000-0x0000000010007000-memory.dmpnloader
    behavioral1/memory/1772-17-0x00000000001B0000-0x00000000001B7000-memory.dmpnloader
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1772rundll32.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    17601772WerFault.exerundll32.exe
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1856EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exe

    Reported IOCs

    pidprocess
    1760WerFault.exe
    1760WerFault.exe
    1760WerFault.exe
    1760WerFault.exe
    1760WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1760WerFault.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1856EXCEL.EXE
    1856EXCEL.EXE
    1856EXCEL.EXE
    1856EXCEL.EXE
    1856EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXErundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1856 wrote to memory of 16121856EXCEL.EXEcertutil.exe
    PID 1856 wrote to memory of 16121856EXCEL.EXEcertutil.exe
    PID 1856 wrote to memory of 16121856EXCEL.EXEcertutil.exe
    PID 1856 wrote to memory of 16121856EXCEL.EXEcertutil.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1856 wrote to memory of 17721856EXCEL.EXErundll32.exe
    PID 1772 wrote to memory of 17601772rundll32.exeWerFault.exe
    PID 1772 wrote to memory of 17601772rundll32.exeWerFault.exe
    PID 1772 wrote to memory of 17601772rundll32.exeWerFault.exe
    PID 1772 wrote to memory of 17601772rundll32.exeWerFault.exe
Processes 4
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\詳細情報.xlsb
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi1635.png C:\Users\Public\jahi1635.pn
      Process spawned unexpected child process
      PID:1612
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi1635.pn,DF j1
      Process spawned unexpected child process
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 332
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:1760
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Public\jahi1635.pn

                        MD5

                        8a9a8739404210e7e454dc2466872f23

                        SHA1

                        a3dbb6cb1eed87147f734c933e087bd66954ca18

                        SHA256

                        8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4

                        SHA512

                        2479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e

                      • C:\Users\Public\jahi1635.png

                        MD5

                        a72d21e3af2cefc6ce364953a8e2d8b5

                        SHA1

                        34ed7ede30fee07b0bf64b56404bd5d43dad0be9

                        SHA256

                        0bd28eb6cbff3d7344f3e5718729ada8317edcf16e231f925dafd964cc44dcad

                        SHA512

                        606b0694680d5c4b350bc2c48b3e15399fcd94ced1977f5d423a58af2c789d72dc19e9371f1db0b7d0c953b211785851e19666dcd347d8a6a03b325eddbc4ec1

                      • \Users\Public\jahi1635.pn

                        MD5

                        8a9a8739404210e7e454dc2466872f23

                        SHA1

                        a3dbb6cb1eed87147f734c933e087bd66954ca18

                        SHA256

                        8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4

                        SHA512

                        2479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e

                      • memory/324-5-0x000007FEF7F70000-0x000007FEF81EA000-memory.dmp

                      • memory/1612-6-0x0000000000000000-mapping.dmp

                      • memory/1612-7-0x00000000767E1000-0x00000000767E3000-memory.dmp

                      • memory/1760-15-0x0000000000000000-mapping.dmp

                      • memory/1760-16-0x0000000002390000-0x00000000023A1000-memory.dmp

                      • memory/1760-18-0x0000000000380000-0x0000000000381000-memory.dmp

                      • memory/1772-9-0x0000000000000000-mapping.dmp

                      • memory/1772-13-0x00000000001C0000-0x00000000001C9000-memory.dmp

                      • memory/1772-14-0x0000000010000000-0x0000000010007000-memory.dmp

                      • memory/1772-17-0x00000000001B0000-0x00000000001B7000-memory.dmp

                      • memory/1856-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

                      • memory/1856-3-0x00000000719D1000-0x00000000719D3000-memory.dmp

                      • memory/1856-2-0x000000002FE31000-0x000000002FE34000-memory.dmp