Overview

overview

10

Static

static

8

subscripti...5.xlsb

windows7_x64

10

subscripti...5.xlsb

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    subscription_1617898525.xlsb

  • Size

    250KB

  • MD5

    9d39f307b0d6276450038cca7568b2cc

  • SHA1

    72d0c43d84791c50e600d85e6deb2b9021cf7056

  • SHA256

    bc64eb93cd133670e5e997bdee03928d2408281ed8f07142ee13371da5352f88

  • SHA512

    17e98e6da13405142295953f6deb0cd7d44751bf83a22833a7b9747e21ae46630c1edb7d176edcd21f14428182135db181153a06ddd9e3fc70246514f6f1f127

Score
10/10
nloaderloader

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Nloader

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    loadernloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Nloader Payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617898525.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\14118.doy %PUBLIC%\14118.biy && rundll32 %PUBLIC%\14118.biy,DF1
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:532
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\14118.doy C:\Users\Public\14118.biy
        3⤵
          PID:328
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Users\Public\14118.biy,DF1
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\ProgramData\huqgk\huqgk.exe
            "C:\ProgramData\huqgk\huqgk.exe"
            4⤵
            • Executes dropped EXE
            PID:1540

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/328-64-0x0000000075C31000-0x0000000075C33000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1244-59-0x000000002F5C1000-0x000000002F5C4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1244-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1244-60-0x0000000071D11000-0x0000000071D13000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1932-70-0x00000000000E0000-0x00000000000E5000-memory.dmp

      Filesize

      20KB

      Download