subscription_1617056233.xlsb

General
Target

subscription_1617056233.xlsb

Filesize

177KB

Completed

13-04-2021 21:07

Score
10 /10
MD5

1d1ba411ff36cdd1b1350341624ac008

SHA1

becdec14b92c6d67b3aa28fdbf4293dabb7b0055

SHA256

ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1

Malware Config
Signatures 10

Filter: none

Discovery
  • Nloader

    Description

    Simple loader that includes the keyword 'campo' in the URL used to download other families.

  • Process spawned unexpected child process
    cmd.exerundll32.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process4923560cmd.exeEXCEL.EXE
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process12723560rundll32.exeEXCEL.EXE
  • Nloader Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/2144-186-0x0000000002A40000-0x0000000002A46000-memory.dmpnloader
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    232144rundll32.exe
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    2144rundll32.exe
  • Checks processor information in registry
    EXCEL.EXEEXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXEEXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXEEXCEL.EXE

    Reported IOCs

    pidprocess
    3560EXCEL.EXE
    1116EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXEEXCEL.EXE

    Reported IOCs

    pidprocess
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    3560EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
    1116EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exerundll32.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3560 wrote to memory of 4923560EXCEL.EXEcmd.exe
    PID 3560 wrote to memory of 4923560EXCEL.EXEcmd.exe
    PID 492 wrote to memory of 3292492cmd.execertutil.exe
    PID 492 wrote to memory of 3292492cmd.execertutil.exe
    PID 3560 wrote to memory of 12723560EXCEL.EXErundll32.exe
    PID 3560 wrote to memory of 12723560EXCEL.EXErundll32.exe
    PID 1272 wrote to memory of 21441272rundll32.exerundll32.exe
    PID 1272 wrote to memory of 21441272rundll32.exerundll32.exe
    PID 1272 wrote to memory of 21441272rundll32.exerundll32.exe
Processes 7
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617056233.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:492
      • C:\Windows\system32\certutil.exe
        certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
        PID:3292
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 C:\Users\Public\4123.do1,DF1
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\Users\Public\4123.do1,DF1
        Blocklisted process makes network request
        Loads dropped DLL
        PID:2144
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:732
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Public\4123.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    PID:1116
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\736E845A-8550-4CB9-AF37-A1C47A5167DD

                          MD5

                          5329f8922c5731174a51b688e3c41764

                          SHA1

                          70f0b53f34dff30e40817f8aaa34b83df677af06

                          SHA256

                          7840fc7857ca62525be17dc748a6cec781eeb5240ca54a27db91c75243cebe15

                          SHA512

                          5289ee31a7c385fe293402e4dc6dfb01172c0c85e6f2d2967a89dc449f21cbdd415eabf6368b7e902ad5ca25e8169abf92bdcc23497aee6d9d3721bf76e62689

                        • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

                          MD5

                          3a0398bcb722bc90474aeea0089705a3

                          SHA1

                          6920a22411dc4b9fbe5efc76bb6c2a53bde7deec

                          SHA256

                          d4aafc857f0e2b75a5bb2c1628a6dd0d1e0fec48b7cf8c40ce915b803c4b70ea

                          SHA512

                          4c303cc880cb73261b31d6243f99a6cd1280a4f3a31eae701c6b86fd99d1fa4004d4580267f511454da2c3c27fbd0510d0034184cc7ad7e1dde810ce48165798

                        • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

                          MD5

                          a6064fc9ce640751e063d9af443990da

                          SHA1

                          367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

                          SHA256

                          5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

                          SHA512

                          0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

                        • C:\Users\Public\4123.do1

                          MD5

                          f776deb4df137b37dcae5406c8f3a07a

                          SHA1

                          f6a31b594fca39c118927405fa4d14353b8fd49a

                          SHA256

                          93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

                          SHA512

                          4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

                        • C:\Users\Public\4123.xlsb

                          MD5

                          c87e1dee1275fed1f7ee813b97ccb17b

                          SHA1

                          e8313978e3c0dff6355b843cd470949c719032c6

                          SHA256

                          92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d

                          SHA512

                          2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35

                        • C:\Users\Public\4123.xsg

                          MD5

                          c87e1dee1275fed1f7ee813b97ccb17b

                          SHA1

                          e8313978e3c0dff6355b843cd470949c719032c6

                          SHA256

                          92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d

                          SHA512

                          2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35

                        • \Users\Public\4123.do1

                          MD5

                          f776deb4df137b37dcae5406c8f3a07a

                          SHA1

                          f6a31b594fca39c118927405fa4d14353b8fd49a

                          SHA256

                          93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

                          SHA512

                          4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

                        • memory/492-179-0x0000000000000000-mapping.dmp

                        • memory/1116-187-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

                        • memory/1272-182-0x0000000000000000-mapping.dmp

                        • memory/2144-186-0x0000000002A40000-0x0000000002A46000-memory.dmp

                        • memory/2144-184-0x0000000000000000-mapping.dmp

                        • memory/3292-180-0x0000000000000000-mapping.dmp

                        • memory/3560-121-0x00007FF94D110000-0x00007FF94E1FE000-memory.dmp

                        • memory/3560-118-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

                        • memory/3560-122-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

                        • memory/3560-123-0x00007FF94B150000-0x00007FF94D045000-memory.dmp

                        • memory/3560-117-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

                        • memory/3560-115-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

                        • memory/3560-116-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmp

                        • memory/3560-114-0x00007FF7BB420000-0x00007FF7BE9D6000-memory.dmp