Overview

overview

10

Static

static

8

WIN7(5)

windows7_x64

10

Resubmissions

15-05-2021 06:30

210515-lxdxev1lpn 10

15-05-2021 06:01

210515-2knl4q95bs 10

Analysis

  • max time kernel
    120s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    15-05-2021 06:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.xlsb

  • Size

    254KB

  • MD5

    dc37192b5c4c8c4f94c73c18ce5e3829

  • SHA1

    0aa6bb11a11dade2269d90b2781ed0a517362012

  • SHA256

    db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6

  • SHA512

    3e8b179d8521fb33a46eeeca74bbda7a4e8a32f47b6195b17d62664dd2e31716261a61a495857ed08dbbc001a9eab8adec7133921179eb3df66c53e18c586d9a

Score
10/10
nloaderloader

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Nloader

    Simple loader that includes the keyword 'campo' in the URL used to download other families.

    loadernloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Nloader Payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\test.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:788
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\130486.dot %PUBLIC%\130486.pgj && rundll32 %PUBLIC%\130486.pgj,DF1
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\130486.dot C:\Users\Public\130486.pgj
        3⤵
          PID:564
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Users\Public\130486.pgj,DF1
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:960
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 468
            4⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1188

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/564-65-0x0000000075A71000-0x0000000075A73000-memory.dmp

      Filesize

      8KB

      Download

    • memory/788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/788-60-0x000000002F4E1000-0x000000002F4E4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/788-61-0x00000000711A1000-0x00000000711A3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/960-71-0x0000000000260000-0x0000000000269000-memory.dmp

      Filesize

      36KB

      Download

    • memory/960-74-0x0000000000270000-0x0000000000277000-memory.dmp

      Filesize

      28KB

      Download

    • memory/960-77-0x00000000002D0000-0x00000000002D5000-memory.dmp

      Filesize

      20KB

      Download

    • memory/960-76-0x0000000000273000-0x0000000000274000-memory.dmp

      Filesize

      4KB

      Download

    • memory/960-79-0x0000000000250000-0x0000000000256000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1188-81-0x0000000001C70000-0x0000000001C71000-memory.dmp

      Filesize

      4KB

      Download