詳細情報.xlsb

General
Target

詳細情報.xlsb

Filesize

153KB

Completed

12-03-2021 04:47

Score
10 /10
MD5

cb5a37aac155775daed9abcfd680f39c

SHA1

75cfc87fe3f6f517e684729a558358fd5d492599

SHA256

426edb65615875c5f8fd31118142f0b3d2e29b360a7995d69d58803e61c1f81e

Malware Config
Signatures 11

Filter: none

Discovery
  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Process spawned unexpected child process
    certutil.exerundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process12924704certutil.exeEXCEL.EXE
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process40124704rundll32.exeEXCEL.EXE
  • Nloader Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4368-13-0x00000000007F0000-0x00000000007F9000-memory.dmpnloader
    behavioral2/memory/4368-14-0x0000000010000000-0x0000000010007000-memory.dmpnloader
    behavioral2/memory/4368-15-0x0000000000AA0000-0x0000000000AA5000-memory.dmpnloader
    behavioral2/memory/4368-16-0x00000000007E0000-0x00000000007E7000-memory.dmpnloader
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    274368rundll32.exe
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    4368rundll32.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4704EXCEL.EXE
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4704EXCEL.EXE
    4704EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
    4704EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXErundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4704 wrote to memory of 12924704EXCEL.EXEcertutil.exe
    PID 4704 wrote to memory of 12924704EXCEL.EXEcertutil.exe
    PID 4704 wrote to memory of 40124704EXCEL.EXErundll32.exe
    PID 4704 wrote to memory of 40124704EXCEL.EXErundll32.exe
    PID 4012 wrote to memory of 43684012rundll32.exerundll32.exe
    PID 4012 wrote to memory of 43684012rundll32.exerundll32.exe
    PID 4012 wrote to memory of 43684012rundll32.exerundll32.exe
Processes 4
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\詳細情報.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Windows\System32\certutil.exe
      "C:\Windows\System32\certutil.exe" -decode C:\Users\Public\jahi1419.png C:\Users\Public\jahi1419.pn
      Process spawned unexpected child process
      PID:1292
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi1419.pn,DF j1
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" C:\Users\Public\jahi1419.pn,DF j1
        Blocklisted process makes network request
        Loads dropped DLL
        PID:4368
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Public\jahi1419.pn

                          MD5

                          8a9a8739404210e7e454dc2466872f23

                          SHA1

                          a3dbb6cb1eed87147f734c933e087bd66954ca18

                          SHA256

                          8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4

                          SHA512

                          2479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e

                        • C:\Users\Public\jahi1419.png

                          MD5

                          a72d21e3af2cefc6ce364953a8e2d8b5

                          SHA1

                          34ed7ede30fee07b0bf64b56404bd5d43dad0be9

                          SHA256

                          0bd28eb6cbff3d7344f3e5718729ada8317edcf16e231f925dafd964cc44dcad

                          SHA512

                          606b0694680d5c4b350bc2c48b3e15399fcd94ced1977f5d423a58af2c789d72dc19e9371f1db0b7d0c953b211785851e19666dcd347d8a6a03b325eddbc4ec1

                        • \Users\Public\jahi1419.pn

                          MD5

                          8a9a8739404210e7e454dc2466872f23

                          SHA1

                          a3dbb6cb1eed87147f734c933e087bd66954ca18

                          SHA256

                          8229a6d0339c001fd0ce51db1b10748d37c838baee130afea2488f2ad0e05ac4

                          SHA512

                          2479c99ffc4002c909a1e6acf66ed2b6dc32efeea0b6182eb2ca8bb5cbe65bd85e507a0bab5f1e38232918cf59f29b592dc1f83b4d9684106ebf5707e057726e

                        • memory/1292-7-0x0000000000000000-mapping.dmp

                        • memory/4012-9-0x0000000000000000-mapping.dmp

                        • memory/4368-13-0x00000000007F0000-0x00000000007F9000-memory.dmp

                        • memory/4368-11-0x0000000000000000-mapping.dmp

                        • memory/4368-15-0x0000000000AA0000-0x0000000000AA5000-memory.dmp

                        • memory/4368-14-0x0000000010000000-0x0000000010007000-memory.dmp

                        • memory/4368-16-0x00000000007E0000-0x00000000007E7000-memory.dmp

                        • memory/4704-6-0x00007FF965210000-0x00007FF965220000-memory.dmp

                        • memory/4704-5-0x00007FF988AF0000-0x00007FF989127000-memory.dmp

                        • memory/4704-4-0x00007FF965210000-0x00007FF965220000-memory.dmp

                        • memory/4704-3-0x00007FF965210000-0x00007FF965220000-memory.dmp

                        • memory/4704-2-0x00007FF965210000-0x00007FF965220000-memory.dmp