bazarbackdoor | 4fb1df3cc70ff21190e4ce1c6791a0112aba9acd582d1379bc73fcc27e607810

General

Target

Report-doc.11.03.xlsb
Size

26KB
MD5

9cf051461a704aca7b839964ab2355ab
SHA1

056244cddc082c128df5dda156ac9c1428121e04
SHA256

4fb1df3cc70ff21190e4ce1c6791a0112aba9acd582d1379bc73fcc27e607810
SHA512

ce359920c8fcc6a52683be1b84ef4582900853d4d3b5ca410a929d01f32a47242a1a8a419d435757b45df949fdb2d6392e43aa15eadbb8fa56c82d893bc2e693

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 16 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	31	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	33	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	38	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/2
HTTP URL	41	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/2
HTTP URL	48	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	63	https://trybunin.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	34	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/2
HTTP URL	39	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/2
HTTP URL	47	https://lukeschicago.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	29	https://lukeschicago.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	42	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/2
HTTP URL	43	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/2
HTTP URL	44	https://hotelmonteleone.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	24	https://hotelmonteleone.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	32	https://ukmedm.com/72c5e676b29f5ec54d226eb16133c4da/4
HTTP URL	50	https://fdphotostudio.com/72c5e676b29f5ec54d226eb16133c4da/4

Blacklisted process makes network request 2003 IoCs

Processes:

cmd.exe

flow	pid	process
24	1072	cmd.exe
26	1072	cmd.exe
29	1072	cmd.exe
31	1072	cmd.exe
32	1072	cmd.exe
33	1072	cmd.exe
34	1072	cmd.exe
38	1072	cmd.exe
39	1072	cmd.exe
41	1072	cmd.exe
42	1072	cmd.exe
43	1072	cmd.exe
44	1072	cmd.exe
46	1072	cmd.exe
47	1072	cmd.exe
48	1072	cmd.exe
50	1072	cmd.exe
52	1072	cmd.exe
54	1072	cmd.exe
55	1072	cmd.exe
57	1072	cmd.exe
59	1072	cmd.exe
61	1072	cmd.exe
63	1072	cmd.exe
64	1072	cmd.exe
65	1072	cmd.exe
66	1072	cmd.exe
67	1072	cmd.exe
68	1072	cmd.exe
69	1072	cmd.exe
70	1072	cmd.exe
71	1072	cmd.exe
72	1072	cmd.exe
73	1072	cmd.exe
74	1072	cmd.exe
75	1072	cmd.exe
76	1072	cmd.exe
77	1072	cmd.exe
78	1072	cmd.exe
79	1072	cmd.exe
80	1072	cmd.exe
81	1072	cmd.exe
82	1072	cmd.exe
83	1072	cmd.exe
84	1072	cmd.exe
85	1072	cmd.exe
86	1072	cmd.exe
87	1072	cmd.exe
88	1072	cmd.exe
89	1072	cmd.exe
90	1072	cmd.exe
91	1072	cmd.exe
92	1072	cmd.exe
93	1072	cmd.exe
94	1072	cmd.exe
95	1072	cmd.exe
96	1072	cmd.exe
97	1072	cmd.exe
98	1072	cmd.exe
99	1072	cmd.exe
100	1072	cmd.exe
101	1072	cmd.exe
102	1072	cmd.exe
103	1072	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

hypzgqhi.exehypzgqhi.exe

pid process

920 hypzgqhi.exe
1648 hypzgqhi.exe
Loads dropped DLL 1 IoCs

Processes:

EXCEL.EXE

pid process

2028 EXCEL.EXE
Suspicious use of SetThreadContext 1 IoCs

Processes:

hypzgqhi.exe

description pid process target process

PID 920 set thread context of 1072 920 hypzgqhi.exe cmd.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
920	hypzgqhi.exe
1648	hypzgqhi.exe

pid	process
2028	EXCEL.EXE

description	pid	process	target process
PID 920 set thread context of 1072	920	hypzgqhi.exe	cmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

hypzgqhi.execmd.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	hypzgqhi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa190000000100000010000000ea6089055218053dd01e37e1d806eedf030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	hypzgqhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	cmd.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c190000000100000010000000ea6089055218053dd01e37e1d806eedf040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf91400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	cmd.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2028 EXCEL.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

EXCEL.EXE

pid process

2028 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EXCEL.EXE

description pid process

Token: SeShutdownPrivilege 2028 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

2028 EXCEL.EXE
2028 EXCEL.EXE
2028 EXCEL.EXE
2028 EXCEL.EXE
2028 EXCEL.EXE

pid	process
2028	EXCEL.EXE

pid	process
2028	EXCEL.EXE

description	pid	process
Token: SeShutdownPrivilege	2028	EXCEL.EXE

pid	process
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE
2028	EXCEL.EXE

Suspicious use of WriteProcessMemory 856 IoCs

Processes:

EXCEL.EXEhypzgqhi.exe

description	pid	process	target process
PID 2028 wrote to memory of 920	2028	EXCEL.EXE	hypzgqhi.exe
PID 2028 wrote to memory of 920	2028	EXCEL.EXE	hypzgqhi.exe
PID 2028 wrote to memory of 920	2028	EXCEL.EXE	hypzgqhi.exe
PID 2028 wrote to memory of 920	2028	EXCEL.EXE	hypzgqhi.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe
PID 920 wrote to memory of 1072	920	hypzgqhi.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Report-doc.11.03.xlsb
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\fhnhuj\noorox\hypzgqhi.exe
"C:\fhnhuj\noorox\hypzgqhi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
3⤵
- Blacklisted process makes network request
- Modifies system certificate store
PID:1072

C:\fhnhuj\noorox\hypzgqhi.exe
C:\fhnhuj\noorox\hypzgqhi.exe 2463391451
1⤵
- Executes dropped EXE
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
8cf993cb197ae339094ab3ddb565eef5

SHA1
a40e4919a1269ed2d8bd1955f6a43f94c208cfd9

SHA256
5b478d62430968d84ed5a0fabb570602390ffdcc3062206e8ea73fbc72765fe3

SHA512
671dd9d137e8e3c3b04a4827f7b8338d0c94894e9b2a0a85141ca0e5161ef9ae656515a4c0e9fd2bb777f7c9b221dd7e5841b25388c02b0411626035d834da7e

Download Submit
C:\fhnhuj\noorox\hypzgqhi.exe
MD5
8f62ed60962df60d1d11c6e2a97a3a6e

SHA1
d7a80002dba75d642cd05f094110e147541f2058

SHA256
df25322be14f617652607a150c806b4ecb3a3317564755518b8100063b58a50e

SHA512
3b8b5dcf317eb0a5dd061832fa8bc6eb6b1aa290104423b02c3e9b6cd4a5744c1922010478603b545470f303ee4eb65f17d494a5e222b382cd922a7fd75f7080

Download Submit
C:\fhnhuj\noorox\hypzgqhi.exe
MD5
8f62ed60962df60d1d11c6e2a97a3a6e

SHA1
d7a80002dba75d642cd05f094110e147541f2058

SHA256
df25322be14f617652607a150c806b4ecb3a3317564755518b8100063b58a50e

SHA512
3b8b5dcf317eb0a5dd061832fa8bc6eb6b1aa290104423b02c3e9b6cd4a5744c1922010478603b545470f303ee4eb65f17d494a5e222b382cd922a7fd75f7080

Download Submit
\fhnhuj\noorox\hypzgqhi.exe
MD5
8f62ed60962df60d1d11c6e2a97a3a6e

SHA1
d7a80002dba75d642cd05f094110e147541f2058

SHA256
df25322be14f617652607a150c806b4ecb3a3317564755518b8100063b58a50e

SHA512
3b8b5dcf317eb0a5dd061832fa8bc6eb6b1aa290104423b02c3e9b6cd4a5744c1922010478603b545470f303ee4eb65f17d494a5e222b382cd922a7fd75f7080

Download Submit
memory/920-2-0x0000000000000000-mapping.dmp

Download
memory/920-4-0x0000000001E70000-0x0000000001E9C000-memory.dmp

Filesize
176KB

Download
memory/920-5-0x0000000001EA0000-0x0000000001ECC000-memory.dmp

Filesize
176KB

Download
memory/1072-11-0x0000000049F4DA28-mapping.dmp

Download
memory/1072-10-0x0000000049F30000-0x0000000049F74000-memory.dmp

Filesize
272KB

Download
memory/1072-12-0x0000000049F30000-0x0000000049F74000-memory.dmp

Filesize
272KB

Download
memory/1648-8-0x00000000002B0000-0x00000000002DC000-memory.dmp

Filesize
176KB

Download
memory/1976-0-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads