nloader | 056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7

General

Target

subscription_1616167805.xlsb
Size

328KB
MD5

d17e780a23c19a5ce5c2a0d4abc19b55
SHA1

d3d73e9f08cb6d880dc163149d352a197dac7300
SHA256

056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7
SHA512

df94d5473166e9d73ee27a37793fa3bbdee409692cee61696b3dd7bf79c3604da14a09a7e27becf17fd59ab267fd8f6548026b7d5da232253800f0ee94602cab

Score

10^/10

nloader loader

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1792	2044	cmd.exe	EXCEL.EXE

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/748-14-0x0000000000130000-0x0000000000139000-memory.dmp	nloader
behavioral1/memory/748-15-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral1/memory/748-16-0x0000000000150000-0x0000000000155000-memory.dmp	nloader
behavioral1/memory/748-17-0x0000000000120000-0x0000000000126000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 748 rundll32.exe
5 748 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

klga.exe

pid process

696 klga.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exe

pid process

748 rundll32.exe
748 rundll32.exe
748 rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
3	748	rundll32.exe
5	748	rundll32.exe

pid	process
696	klga.exe

pid	process
748	rundll32.exe
748	rundll32.exe
748	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2044 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2044 EXCEL.EXE
2044 EXCEL.EXE
2044 EXCEL.EXE

pid	process
2044	EXCEL.EXE

pid	process
2044	EXCEL.EXE
2044	EXCEL.EXE
2044	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 2044 wrote to memory of 1792	2044	EXCEL.EXE	cmd.exe
PID 2044 wrote to memory of 1792	2044	EXCEL.EXE	cmd.exe
PID 2044 wrote to memory of 1792	2044	EXCEL.EXE	cmd.exe
PID 2044 wrote to memory of 1792	2044	EXCEL.EXE	cmd.exe
PID 1792 wrote to memory of 1768	1792	cmd.exe	certutil.exe
PID 1792 wrote to memory of 1768	1792	cmd.exe	certutil.exe
PID 1792 wrote to memory of 1768	1792	cmd.exe	certutil.exe
PID 1792 wrote to memory of 1768	1792	cmd.exe	certutil.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 1792 wrote to memory of 748	1792	cmd.exe	rundll32.exe
PID 748 wrote to memory of 696	748	rundll32.exe	klga.exe
PID 748 wrote to memory of 696	748	rundll32.exe	klga.exe
PID 748 wrote to memory of 696	748	rundll32.exe	klga.exe
PID 748 wrote to memory of 696	748	rundll32.exe	klga.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1616167805.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0 && rundll32 C:\Users\Public\1171.0,DF
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\certutil.exe
certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0
3⤵
PID:1768

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\1171.0,DF
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748

C:\ProgramData\klga\klga.exe
"C:\ProgramData\klga\klga.exe"
4⤵
- Executes dropped EXE
PID:696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\klga\klga.exe
MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
C:\Users\Public\1171.0
MD5
480db4035b4be0d96a43f44b77947b9c

SHA1
de066e080a64b61325f747f1e021df07caeabc0b

SHA256
c63683a48bafacd5adf8814244142263f3b1033d053d50b93cc1f479b7dba98c

SHA512
81c310ca460348451a69ae4f3bf1dd2b720a772399e9f2dee5232a9df77798a06518f265087f9cd84d772ebb700799cd29f312d1d8eedf871bb0d630fb19e39a

Download Submit
C:\Users\Public\1171.d0
MD5
ce3590b97179ba87c9c71ae51378949a

SHA1
a435d40dc12fd837c5433eb4543d2b27200aa745

SHA256
67d178a28e2defbe4bfd95d38643b0ad6e35ef5597e97934bf93ca905968b0be

SHA512
7f263d15f13b1a4fd5e4ec272a86bbe5ba9972545fa25fb505eff4f875d0fe697a6acc5adaf25d3ec560771b56efe536d88edcced76ad74e3fcd3fc0c9ccef58

Download Submit
\ProgramData\klga\klga.exe
MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
\ProgramData\klga\klga.exe
MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
\Users\Public\1171.0
MD5
480db4035b4be0d96a43f44b77947b9c

SHA1
de066e080a64b61325f747f1e021df07caeabc0b

SHA256
c63683a48bafacd5adf8814244142263f3b1033d053d50b93cc1f479b7dba98c

SHA512
81c310ca460348451a69ae4f3bf1dd2b720a772399e9f2dee5232a9df77798a06518f265087f9cd84d772ebb700799cd29f312d1d8eedf871bb0d630fb19e39a

Download Submit
memory/696-20-0x0000000000000000-mapping.dmp

Download
memory/748-15-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/748-10-0x0000000000000000-mapping.dmp

Download
memory/748-14-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/748-16-0x0000000000150000-0x0000000000155000-memory.dmp

Filesize
20KB

Download
memory/748-17-0x0000000000120000-0x0000000000126000-memory.dmp

Filesize
24KB

Download
memory/1768-8-0x0000000075251000-0x0000000075253000-memory.dmp

Filesize
8KB

Download
memory/1768-7-0x0000000000000000-mapping.dmp

Download
memory/1772-5-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1792-6-0x0000000000000000-mapping.dmp

Download
memory/2044-2-0x000000002F081000-0x000000002F084000-memory.dmp

Filesize
12KB

Download
memory/2044-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-3-0x0000000071671000-0x0000000071673000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads