nloader | bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88

General

Target

subscription_1617898525.xlsb
Size

250KB
MD5

9d39f307b0d6276450038cca7568b2cc
SHA1

72d0c43d84791c50e600d85e6deb2b9021cf7056
SHA256

bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88
SHA512

17e98e6da13405142295953f6deb0cd7d44751bf83a22833a7b9747e21ae46630c1edb7d176edcd21f14428182135db181153a06ddd9e3fc70246514f6f1f127

Score

10^/10

nloader loader

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	532	1244	cmd.exe	EXCEL.EXE

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-70-0x00000000000E0000-0x00000000000E5000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

4 1932 rundll32.exe
5 1932 rundll32.exe
Executes dropped EXE 1 IoCs

Processes:

huqgk.exe

pid process

1540 huqgk.exe
Loads dropped DLL 3 IoCs

Processes:

rundll32.exe

pid process

1932 rundll32.exe
1932 rundll32.exe
1932 rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

flow	pid	process
4	1932	rundll32.exe
5	1932	rundll32.exe

pid	process
1540	huqgk.exe

pid	process
1932	rundll32.exe
1932	rundll32.exe
1932	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1244 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1244 EXCEL.EXE
1244 EXCEL.EXE
1244 EXCEL.EXE

pid	process
1244	EXCEL.EXE

pid	process
1244	EXCEL.EXE
1244	EXCEL.EXE
1244	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 1244 wrote to memory of 532	1244	EXCEL.EXE	cmd.exe
PID 1244 wrote to memory of 532	1244	EXCEL.EXE	cmd.exe
PID 1244 wrote to memory of 532	1244	EXCEL.EXE	cmd.exe
PID 1244 wrote to memory of 532	1244	EXCEL.EXE	cmd.exe
PID 532 wrote to memory of 328	532	cmd.exe	certutil.exe
PID 532 wrote to memory of 328	532	cmd.exe	certutil.exe
PID 532 wrote to memory of 328	532	cmd.exe	certutil.exe
PID 532 wrote to memory of 328	532	cmd.exe	certutil.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 532 wrote to memory of 1932	532	cmd.exe	rundll32.exe
PID 1932 wrote to memory of 1540	1932	rundll32.exe	huqgk.exe
PID 1932 wrote to memory of 1540	1932	rundll32.exe	huqgk.exe
PID 1932 wrote to memory of 1540	1932	rundll32.exe	huqgk.exe
PID 1932 wrote to memory of 1540	1932	rundll32.exe	huqgk.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617898525.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\14118.doy %PUBLIC%\14118.biy && rundll32 %PUBLIC%\14118.biy,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\14118.doy C:\Users\Public\14118.biy
3⤵
PID:328

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\14118.biy,DF1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932

C:\ProgramData\huqgk\huqgk.exe
"C:\ProgramData\huqgk\huqgk.exe"
4⤵
- Executes dropped EXE
PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\huqgk\huqgk.exe

MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
C:\Users\Public\14118.biy

MD5
0d90eb265cfe49b20037673845bd0c3c

SHA1
6d8fb0ff1aba664991336f039a2cc4451a6160cc

SHA256
acc4ef33e4725fa9b3b1481a30b9ab2790badf06eb8bdc0db5d4cd550f16c6cc

SHA512
64a2a8fc352760907e36373dea7d1ee4867e7d569da44360069ca862161504769e35b08dc557d0aefbc0f15d5be83c996dae9b665540d36b255ed430798cb62d

Download Submit
C:\Users\Public\14118.doy

MD5
61f9ff7edf0a1ff6888e541124226553

SHA1
171fcc225b737185dcb63a7980e7568b3a80f88a

SHA256
5b76d927fc8fbce5d669a8388858986e2b4533176144d08497f5b58672db12fb

SHA512
9cc04bf336b90aeeb9b4a93185dde1173f968f2fb8b9f974c2fbd74d2f2dde499be8058050fed96887439140bb000da368feb48e7f89b3a6ccbbdcf0e4532350

Download Submit
\ProgramData\huqgk\huqgk.exe

MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
\ProgramData\huqgk\huqgk.exe

MD5
ffdff96a587983deae1c67bb1299b004

SHA1
8fa41ac76c9f40e738fd42025144c7d55969ab79

SHA256
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

SHA512
f8efe1f3f7e975618e9b72f8de588c1904b6dd2e6aa64ac8aed646e4ab5eb58553cac4a406153f46fb28147c6cff7ec9011a29765f036b575a374de2fab72376

Download Submit
\Users\Public\14118.biy

MD5
0d90eb265cfe49b20037673845bd0c3c

SHA1
6d8fb0ff1aba664991336f039a2cc4451a6160cc

SHA256
acc4ef33e4725fa9b3b1481a30b9ab2790badf06eb8bdc0db5d4cd550f16c6cc

SHA512
64a2a8fc352760907e36373dea7d1ee4867e7d569da44360069ca862161504769e35b08dc557d0aefbc0f15d5be83c996dae9b665540d36b255ed430798cb62d

Download Submit
memory/328-64-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/328-63-0x0000000000000000-mapping.dmp

Download
memory/532-62-0x0000000000000000-mapping.dmp

Download
memory/1244-59-0x000000002F5C1000-0x000000002F5C4000-memory.dmp

Filesize
12KB

Download
memory/1244-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1244-60-0x0000000071D11000-0x0000000071D13000-memory.dmp

Filesize
8KB

Download
memory/1540-74-0x0000000000000000-mapping.dmp

Download
memory/1932-66-0x0000000000000000-mapping.dmp

Download
memory/1932-70-0x00000000000E0000-0x00000000000E5000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads