Analysis
-
max time kernel
480s -
max time network
391s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
-
submitted
28-03-2024 05:48
General
-
Target
subscription_1617056233.xlsb
-
Size
177KB
-
MD5
1d1ba411ff36cdd1b1350341624ac008
-
SHA1
becdec14b92c6d67b3aa28fdbf4293dabb7b0055
-
SHA256
ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1
-
SHA512
89a9df6e41300e05c71af3eb45acd7cd6c3915bc511d00cc2a420c5d3a274a704798b3e48e93ffccd7813ee2a25e96a2c1c1f4d1e84ed86c144f2e79af501ef0
-
SSDEEP
3072:jMozgZ9S08bSe71IeyGJE+pCm7nXEMyQuvYKrp/wR+bhzKbzvXAJ732:TgLSPB76eyGjwm75yQuvPSjwJr2
Malware Config
Extracted
Signatures
-
Nloader
Simple loader that includes the keyword 'campo' in the URL used to download other families.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Nloader payload 4 IoCs
-
Loads dropped DLL 1 IoCs
-
Program crash 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 31 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617056233.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do12⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do13⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\4123.do1,DF12⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 4563⤵
- Program crash
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
130B
MD559ebe82c4a9fecae76ed48cc3bbcc434
SHA141b9e1a9d35700786cfe9c468d5971e550cf4730
SHA256eaac90e9eced9e540a823a8027b7a93b266fb56fa2281e815f6e521c083f927e
SHA512c4b8002981062dc73862a8b585a6d2409b468f5854ec3584a2fd0fa74f7eabb3d61ce03bacac03898527852d4d66e15f642f0c25f2bc36c965ee798b6a59881b
-
Filesize
48KB
MD5f776deb4df137b37dcae5406c8f3a07a
SHA1f6a31b594fca39c118927405fa4d14353b8fd49a
SHA25693cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
SHA5124077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2
-
Filesize
64KB
MD5c87e1dee1275fed1f7ee813b97ccb17b
SHA1e8313978e3c0dff6355b843cd470949c719032c6
SHA25692bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d
SHA5122d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35
-
Filesize
44KB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
8KB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
44KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
20KB
-
Filesize
36KB