nloader | 32b9ed5ed7f0adfc8f39a6300e4fe0831a60c2b4e4631a4d6f7e96ee2b9ff40f

General

Target

Bazar.xlsb
Size

289KB
MD5

3b409c892001c72d4b1be7786cedf010
SHA1

8c3c7e4f570ab74b02003f0befe691a34c29e0d2
SHA256

32b9ed5ed7f0adfc8f39a6300e4fe0831a60c2b4e4631a4d6f7e96ee2b9ff40f
SHA512

8c229ee0831feb17e600fe5aa849d1887682746c9e61d4bd5fd8cce5623b1798d4691c112653da50ec292ac2d7d4452ed1ae961d13971aafae1c69addbfad2c9
SSDEEP

6144:J9GIZGd38S3knv1D8LtYOKlJbAuxcM4SPtDr3Dvyh:J9GmGd38XvAtjuy+P3Dv4

Score

10^/10

nloader loader upx

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	4048	3284	cmd.exe	EXCEL.EXE

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Public\105011.gof	acprotect
C:\Users\Public\105011.gof	acprotect

Nloader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4652-147-0x0000000001390000-0x0000000001395000-memory.dmp	nloader

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

33 4652 rundll32.exe

flow	pid	process
33	4652	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\105011.gof	upx
C:\Users\Public\105011.gof	upx
behavioral2/memory/4652-146-0x0000000075660000-0x0000000075693000-memory.dmp	upx
behavioral2/memory/4652-152-0x0000000075660000-0x0000000075693000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4652 rundll32.exe

pid	process
4652	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3284 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE
3284	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 3284 wrote to memory of 4048	3284	EXCEL.EXE	cmd.exe
PID 3284 wrote to memory of 4048	3284	EXCEL.EXE	cmd.exe
PID 4048 wrote to memory of 3988	4048	cmd.exe	certutil.exe
PID 4048 wrote to memory of 3988	4048	cmd.exe	certutil.exe
PID 4048 wrote to memory of 828	4048	cmd.exe	rundll32.exe
PID 4048 wrote to memory of 828	4048	cmd.exe	rundll32.exe
PID 828 wrote to memory of 4652	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 4652	828	rundll32.exe	rundll32.exe
PID 828 wrote to memory of 4652	828	rundll32.exe	rundll32.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Bazar.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\105011.oop %PUBLIC%\105011.gof && rundll32 %PUBLIC%\105011.gof,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\105011.oop C:\Users\Public\105011.gof
3⤵
PID:3988

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\105011.gof,DF1
3⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\105011.gof,DF1
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\105011.gof

Filesize
102KB

MD5
2ecee3dd510442f9b28d62a339a6b7a0

SHA1
f1bc56458af0bcc4265f58b812f860da45e90f8e

SHA256
47b1f63e7db1c24ad6f692cf1eb0e92dd6de27a16051f390f5b441afc5049fea

SHA512
f94a9220629181cd14f8cfec442c7b0c10f315617f64f8ef551be3c0fe6424a69f36269867328aaf95cbcd4627a32b47de4d438ed1233ae37c5a6ecf7fbb0c23

Download Submit
C:\Users\Public\105011.gof

Filesize
102KB

MD5
2ecee3dd510442f9b28d62a339a6b7a0

SHA1
f1bc56458af0bcc4265f58b812f860da45e90f8e

SHA256
47b1f63e7db1c24ad6f692cf1eb0e92dd6de27a16051f390f5b441afc5049fea

SHA512
f94a9220629181cd14f8cfec442c7b0c10f315617f64f8ef551be3c0fe6424a69f36269867328aaf95cbcd4627a32b47de4d438ed1233ae37c5a6ecf7fbb0c23

Download Submit
C:\Users\Public\105011.oop

Filesize
137KB

MD5
3c79791ee7bbb25eb4139886bb27038d

SHA1
39163f362e64a03e920f63e9d5c4c1c5098fd7a9

SHA256
48bc2ff4d55dfc60659213fbbc1543d7f4eed7feda54c5013be9f88668f87737

SHA512
34adaa6907e0ce644f4519f10debd9a13cdc1f5a304108ec38a9b3707f0f3abaf10ca51920cfa3f20831d0d39ea3fdf871649323a094f241ebea417f21d32fea

Download Submit
memory/828-142-0x0000000000000000-mapping.dmp

Download
memory/3284-133-0x00007FFD94C10000-0x00007FFD94C20000-memory.dmp

Filesize
64KB

Download
memory/3284-134-0x00007FFD94C10000-0x00007FFD94C20000-memory.dmp

Filesize
64KB

Download
memory/3284-135-0x00007FFD94C10000-0x00007FFD94C20000-memory.dmp

Filesize
64KB

Download
memory/3284-136-0x00007FFD94C10000-0x00007FFD94C20000-memory.dmp

Filesize
64KB

Download
memory/3284-137-0x00007FFD92AA0000-0x00007FFD92AB0000-memory.dmp

Filesize
64KB

Download
memory/3284-138-0x00007FFD92AA0000-0x00007FFD92AB0000-memory.dmp

Filesize
64KB

Download
memory/3284-132-0x00007FFD94C10000-0x00007FFD94C20000-memory.dmp

Filesize
64KB

Download
memory/3988-140-0x0000000000000000-mapping.dmp

Download
memory/4048-139-0x0000000000000000-mapping.dmp

Download
memory/4652-144-0x0000000000000000-mapping.dmp

Download
memory/4652-146-0x0000000075660000-0x0000000075693000-memory.dmp

Filesize
204KB

Download
memory/4652-147-0x0000000001390000-0x0000000001395000-memory.dmp

Filesize
20KB

Download
memory/4652-152-0x0000000075660000-0x0000000075693000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads