nloader | db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6

General

Target

test.xlsb
Size

254KB
MD5

dc37192b5c4c8c4f94c73c18ce5e3829
SHA1

0aa6bb11a11dade2269d90b2781ed0a517362012
SHA256

db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
SHA512

3e8b179d8521fb33a46eeeca74bbda7a4e8a32f47b6195b17d62664dd2e31716261a61a495857ed08dbbc001a9eab8adec7133921179eb3df66c53e18c586d9a

Score

10^/10

nloader loader

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1692	788	cmd.exe	EXCEL.EXE

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/960-71-0x0000000000260000-0x0000000000269000-memory.dmp	nloader
behavioral1/memory/960-74-0x0000000000270000-0x0000000000277000-memory.dmp	nloader
behavioral1/memory/960-77-0x00000000002D0000-0x00000000002D5000-memory.dmp	nloader
behavioral1/memory/960-79-0x0000000000250000-0x0000000000256000-memory.dmp	nloader

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

960 rundll32.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1188 960 WerFault.exe rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
960	rundll32.exe

pid	pid_target	process	target process
1188	960	WerFault.exe	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

788 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1188 WerFault.exe
1188 WerFault.exe
1188 WerFault.exe
1188 WerFault.exe
1188 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1188 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1188 WerFault.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

788 EXCEL.EXE
788 EXCEL.EXE
788 EXCEL.EXE
788 EXCEL.EXE
788 EXCEL.EXE

pid	process
788	EXCEL.EXE

pid	process
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe
1188	WerFault.exe

pid	process
1188	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1188	WerFault.exe

pid	process
788	EXCEL.EXE
788	EXCEL.EXE
788	EXCEL.EXE
788	EXCEL.EXE
788	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 788 wrote to memory of 1692	788	EXCEL.EXE	cmd.exe
PID 788 wrote to memory of 1692	788	EXCEL.EXE	cmd.exe
PID 788 wrote to memory of 1692	788	EXCEL.EXE	cmd.exe
PID 788 wrote to memory of 1692	788	EXCEL.EXE	cmd.exe
PID 1692 wrote to memory of 564	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 564	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 564	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 564	1692	cmd.exe	certutil.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 1692 wrote to memory of 960	1692	cmd.exe	rundll32.exe
PID 960 wrote to memory of 1188	960	rundll32.exe	WerFault.exe
PID 960 wrote to memory of 1188	960	rundll32.exe	WerFault.exe
PID 960 wrote to memory of 1188	960	rundll32.exe	WerFault.exe
PID 960 wrote to memory of 1188	960	rundll32.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\test.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\130486.dot %PUBLIC%\130486.pgj && rundll32 %PUBLIC%\130486.pgj,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\130486.dot C:\Users\Public\130486.pgj
3⤵
PID:564

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\130486.pgj,DF1
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 468
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\130486.dot
MD5
5ad4845793b5dc3308172b39f3c3dbc7

SHA1
4285a93ec1a49f28cb2542af2a2bafc08e4f8a18

SHA256
2632c0cc222a6d436b50a418605a7bd4fa8f363ab8d93d10b831cdb28a2ac1bc

SHA512
4a1c88eb99d9d9713802f5f2c9b96d15bb4cab8af7360c62d3e1b614fe07ea33771b33075c15a0f400daad7a713edc684e2c0566cd9ab5805b00f05e3b58a5df

Download Submit
C:\Users\Public\130486.pgj
MD5
14089c2d5a4207dd80f71fb258200848

SHA1
80fa3d47f321108d7c956680ac1b1f5c611d6277

SHA256
f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4

SHA512
cbfcbcddb80749711853aa7d39525e299015d31451615cfce64e54f197d6a1e87deb60920723c7a90b30c0da05e469c4208a758e93ad2e49f9e78eefb231bfa6

Download Submit
\Users\Public\130486.pgj
MD5
14089c2d5a4207dd80f71fb258200848

SHA1
80fa3d47f321108d7c956680ac1b1f5c611d6277

SHA256
f3b5cf1e40aed4567a8996cf107285907d432b4bc8cc3d0b46aae628813d82d4

SHA512
cbfcbcddb80749711853aa7d39525e299015d31451615cfce64e54f197d6a1e87deb60920723c7a90b30c0da05e469c4208a758e93ad2e49f9e78eefb231bfa6

Download Submit
memory/564-64-0x0000000000000000-mapping.dmp

Download
memory/564-65-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/788-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/788-60-0x000000002F4E1000-0x000000002F4E4000-memory.dmp

Filesize
12KB

Download
memory/788-61-0x00000000711A1000-0x00000000711A3000-memory.dmp

Filesize
8KB

Download
memory/960-71-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/960-67-0x0000000000000000-mapping.dmp

Download
memory/960-74-0x0000000000270000-0x0000000000277000-memory.dmp

Filesize
28KB

Download
memory/960-77-0x00000000002D0000-0x00000000002D5000-memory.dmp

Filesize
20KB

Download
memory/960-76-0x0000000000273000-0x0000000000274000-memory.dmp

Filesize
4KB

Download
memory/960-79-0x0000000000250000-0x0000000000256000-memory.dmp

Filesize
24KB

Download
memory/1188-80-0x0000000000000000-mapping.dmp

Download
memory/1188-81-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1692-63-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads