Overview

overview

10

Static

static

8

_____.xlsb

windows7_x64

10

_____.xlsb

windows10_x64

10

Analysis

  • max time kernel
    66s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-04-2021 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    _____.xlsb

  • Size

    225KB

  • MD5

    0abe41c27fa3f1e62b74ff4903887d86

  • SHA1

    3707fed2be2ec70152bdc5cd691137a7d6b62013

  • SHA256

    67c35a01ebe2933d5772677793719c2702ef18274e84fc188f5eb6eee4f32752

  • SHA512

    0b6bc4a8f420c9cb463fa10ec1cfe64cf90ee132ee2f46ec739c381e0d2a21d848896cf1d89b88de9fb6d7b88c2ebc1c497ee8cba08205802c372da5e707f7a9

Score
10/10
nloaderloader

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Nloader

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    loadernloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Nloader Payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\_____.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\14118.doy %PUBLIC%\14118.biy && rundll32 %PUBLIC%\14118.biy,DF1
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\14118.doy C:\Users\Public\14118.biy
        3⤵
          PID:740
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Users\Public\14118.biy,DF1
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 468
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1344

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\14118.biy
      MD5

      d54955f8150d1ae905a9fbcaac97a71b

      SHA1

      b4027b0c59c4a7f2d0b2c5bd8409976b9bade4ed

      SHA256

      627f67c18ccda5a5e3e3b90738545c0553abee1cee81e03b447ba33d46674a58

      SHA512

      095609a5d0f08c9b5dc48e0f1501e69ec512806592da3add7d07a5b4d7abd745efa9e41f62ec3e43b4add34a01ccaf60722a8f5ecd945417fc47afcbc7294bcd

      Download Submit

    • C:\Users\Public\14118.doy
      MD5

      d18a8f1eef6962d92e2eb47c2ef0e0d4

      SHA1

      18fc95b23c3a44e9e0d86516fc68c3a02e3a0a36

      SHA256

      559d08c26df410ad35dc227b4e55e6aeffbe549a5b8ff71d050e93dbfcce1495

      SHA512

      5716ffffe6d74373436a6f7d8a6b6ee80a85bda5b9ee813577955902f9bb3d31913c7d62005ea81f7a2ebdb6a8fdb1232bc83ffb709574688ac7ecd1505e2c78

      Download Submit

    • \Users\Public\14118.biy
      MD5

      d54955f8150d1ae905a9fbcaac97a71b

      SHA1

      b4027b0c59c4a7f2d0b2c5bd8409976b9bade4ed

      SHA256

      627f67c18ccda5a5e3e3b90738545c0553abee1cee81e03b447ba33d46674a58

      SHA512

      095609a5d0f08c9b5dc48e0f1501e69ec512806592da3add7d07a5b4d7abd745efa9e41f62ec3e43b4add34a01ccaf60722a8f5ecd945417fc47afcbc7294bcd

      Download Submit

    • memory/740-63-0x0000000000000000-mapping.dmp

      Download

    • memory/740-64-0x0000000075781000-0x0000000075783000-memory.dmp

      Filesize

      8KB

      Download

    • memory/764-62-0x0000000000000000-mapping.dmp

      Download

    • memory/832-71-0x00000000002C0000-0x00000000002C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/832-66-0x0000000000000000-mapping.dmp

      Download

    • memory/832-70-0x0000000000410000-0x0000000000419000-memory.dmp

      Filesize

      36KB

      Download

    • memory/832-77-0x0000000000440000-0x0000000000445000-memory.dmp

      Filesize

      20KB

      Download

    • memory/832-76-0x0000000000423000-0x0000000000424000-memory.dmp

      Filesize

      4KB

      Download

    • memory/832-74-0x0000000000420000-0x0000000000427000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1344-79-0x0000000000000000-mapping.dmp

      Download

    • memory/1344-80-0x00000000004C0000-0x00000000004C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1904-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-60-0x0000000071271000-0x0000000071273000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1904-59-0x000000002F7C1000-0x000000002F7C4000-memory.dmp

      Filesize

      12KB

      Download