nloader | 785cee1832087169cb5ea280304865f96fa3ca42d6af6b97acb0204837d6c4d6

General

Target

subscription_1617037035.xlsb
Size

176KB
MD5

94dee992c9b32337944c537faad98fc3
SHA1

03028e9d85889ef3f6d7a202fa8b48d4f28189cc
SHA256

785cee1832087169cb5ea280304865f96fa3ca42d6af6b97acb0204837d6c4d6
SHA512

d47f9b88624e14a4f8b7cc0e1ad0aac7450d1699527f7997ec098e5ce023f2d713296cafa35aee4199dd1ef93236928454c9e60a342b4a0f70902833d85ac5fd

Score

10^/10

nloader loader

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1540	1852	cmd.exe	EXCEL.EXE

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1720-16-0x00000000001E0000-0x00000000001E5000-memory.dmp	nloader
behavioral1/memory/1720-15-0x00000000000D0000-0x00000000000D7000-memory.dmp	nloader
behavioral1/memory/1720-14-0x00000000000C0000-0x00000000000C9000-memory.dmp	nloader
behavioral1/memory/1720-17-0x00000000000B0000-0x00000000000B6000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 1720 rundll32.exe
6 1720 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1720 rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
3	1720	rundll32.exe
6	1720	rundll32.exe

pid	process
1720	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1852 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1852 EXCEL.EXE
1852 EXCEL.EXE
1852 EXCEL.EXE

pid	process
1852	EXCEL.EXE

pid	process
1852	EXCEL.EXE
1852	EXCEL.EXE
1852	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

EXCEL.EXEcmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 1540	1852	EXCEL.EXE	cmd.exe
PID 1852 wrote to memory of 1540	1852	EXCEL.EXE	cmd.exe
PID 1852 wrote to memory of 1540	1852	EXCEL.EXE	cmd.exe
PID 1852 wrote to memory of 1540	1852	EXCEL.EXE	cmd.exe
PID 1540 wrote to memory of 1804	1540	cmd.exe	certutil.exe
PID 1540 wrote to memory of 1804	1540	cmd.exe	certutil.exe
PID 1540 wrote to memory of 1804	1540	cmd.exe	certutil.exe
PID 1540 wrote to memory of 1804	1540	cmd.exe	certutil.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe
PID 1540 wrote to memory of 1720	1540	cmd.exe	rundll32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617037035.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1 && rundll32 %PUBLIC%\4123.do1,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
3⤵
PID:1804

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\4123.do1,DF1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\4123.do1

MD5
f776deb4df137b37dcae5406c8f3a07a

SHA1
f6a31b594fca39c118927405fa4d14353b8fd49a

SHA256
93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

SHA512
4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

Download Submit
C:\Users\Public\4123.xsg

MD5
c87e1dee1275fed1f7ee813b97ccb17b

SHA1
e8313978e3c0dff6355b843cd470949c719032c6

SHA256
92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d

SHA512
2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35

Download Submit
\Users\Public\4123.do1

MD5
f776deb4df137b37dcae5406c8f3a07a

SHA1
f6a31b594fca39c118927405fa4d14353b8fd49a

SHA256
93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

SHA512
4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

Download Submit
memory/528-5-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmp

Filesize
2.5MB

Download
memory/1540-6-0x0000000000000000-mapping.dmp

Download
memory/1720-10-0x0000000000000000-mapping.dmp

Download
memory/1720-16-0x00000000001E0000-0x00000000001E5000-memory.dmp

Filesize
20KB

Download
memory/1720-15-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1720-14-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/1720-17-0x00000000000B0000-0x00000000000B6000-memory.dmp

Filesize
24KB

Download
memory/1804-8-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1804-7-0x0000000000000000-mapping.dmp

Download
memory/1852-2-0x000000002FA91000-0x000000002FA94000-memory.dmp

Filesize
12KB

Download
memory/1852-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1852-3-0x00000000719D1000-0x00000000719D3000-memory.dmp

Filesize
8KB

Download
memory/1852-18-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1852-19-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads