Analysis

  • max time kernel
    118s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-03-2021 15:42

General

  • Target

    subscription_1616167805.xlsb

  • Size

    328KB

  • MD5

    d17e780a23c19a5ce5c2a0d4abc19b55

  • SHA1

    d3d73e9f08cb6d880dc163149d352a197dac7300

  • SHA256

    056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7

  • SHA512

    df94d5473166e9d73ee27a37793fa3bbdee409692cee61696b3dd7bf79c3604da14a09a7e27becf17fd59ab267fd8f6548026b7d5da232253800f0ee94602cab

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Nloader

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Nloader Payload 4 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1616167805.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0 && rundll32 C:\Users\Public\1171.0,DF
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\certutil.exe
        certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0
        3⤵
          PID:1768
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Users\Public\1171.0,DF
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:748
          • C:\ProgramData\klga\klga.exe
            "C:\ProgramData\klga\klga.exe"
            4⤵
            • Executes dropped EXE
            PID:696

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/748-15-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

    • memory/748-14-0x0000000000130000-0x0000000000139000-memory.dmp

      Filesize

      36KB

    • memory/748-16-0x0000000000150000-0x0000000000155000-memory.dmp

      Filesize

      20KB

    • memory/748-17-0x0000000000120000-0x0000000000126000-memory.dmp

      Filesize

      24KB

    • memory/1768-8-0x0000000075251000-0x0000000075253000-memory.dmp

      Filesize

      8KB

    • memory/1772-5-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

      Filesize

      2.5MB

    • memory/2044-2-0x000000002F081000-0x000000002F084000-memory.dmp

      Filesize

      12KB

    • memory/2044-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2044-3-0x0000000071671000-0x0000000071673000-memory.dmp

      Filesize

      8KB