Overview

overview

10

Static

static

8

subscripti...3.xlsb

windows7_x64

10

subscripti...3.xlsb

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13-04-2021 21:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    subscription_1617056233.xlsb

  • Size

    177KB

  • MD5

    1d1ba411ff36cdd1b1350341624ac008

  • SHA1

    becdec14b92c6d67b3aa28fdbf4293dabb7b0055

  • SHA256

    ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1

  • SHA512

    89a9df6e41300e05c71af3eb45acd7cd6c3915bc511d00cc2a420c5d3a274a704798b3e48e93ffccd7813ee2a25e96a2c1c1f4d1e84ed86c144f2e79af501ef0

Score
10/10
nloaderloader

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Nloader

    Simple loader that includes the keyword 'campo' in the URL used to download other families.

    loadernloader
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Nloader Payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617056233.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
        3⤵
          PID:1228
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\Users\Public\4123.do1,DF1
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1820

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Public\4123.do1
      MD5

      f776deb4df137b37dcae5406c8f3a07a

      SHA1

      f6a31b594fca39c118927405fa4d14353b8fd49a

      SHA256

      93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

      SHA512

      4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

      Download Submit

    • C:\Users\Public\4123.xsg
      MD5

      c87e1dee1275fed1f7ee813b97ccb17b

      SHA1

      e8313978e3c0dff6355b843cd470949c719032c6

      SHA256

      92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d

      SHA512

      2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35

      Download Submit

    • \Users\Public\4123.do1
      MD5

      f776deb4df137b37dcae5406c8f3a07a

      SHA1

      f6a31b594fca39c118927405fa4d14353b8fd49a

      SHA256

      93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

      SHA512

      4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

      Download Submit

    • memory/788-61-0x0000000071391000-0x0000000071393000-memory.dmp

      Filesize

      8KB

      Download

    • memory/788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/788-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/788-60-0x000000002F7D1000-0x000000002F7D4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1228-64-0x0000000000000000-mapping.dmp

      Download

    • memory/1228-65-0x0000000075551000-0x0000000075553000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1232-63-0x0000000000000000-mapping.dmp

      Download

    • memory/1820-67-0x0000000000000000-mapping.dmp

      Download

    • memory/1820-71-0x0000000000200000-0x0000000000209000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1820-74-0x0000000000210000-0x0000000000217000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1820-76-0x0000000000213000-0x0000000000214000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1820-77-0x0000000000230000-0x0000000000235000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1820-79-0x0000000000160000-0x0000000000166000-memory.dmp

      Filesize

      24KB

      Download