Analysis

  • max time kernel
    139s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-03-2021 15:42

General

  • Target

    subscription_1616167805.xlsb

  • Size

    328KB

  • MD5

    d17e780a23c19a5ce5c2a0d4abc19b55

  • SHA1

    d3d73e9f08cb6d880dc163149d352a197dac7300

  • SHA256

    056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7

  • SHA512

    df94d5473166e9d73ee27a37793fa3bbdee409692cee61696b3dd7bf79c3604da14a09a7e27becf17fd59ab267fd8f6548026b7d5da232253800f0ee94602cab

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Nloader

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Bazar/Team9 Loader payload 1 IoCs
  • Nloader Payload 4 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1616167805.xlsb"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0 && rundll32 C:\Users\Public\1171.0,DF
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\system32\certutil.exe
        certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0
        3⤵
          PID:1328
        • C:\Windows\system32\rundll32.exe
          rundll32 C:\Users\Public\1171.0,DF
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 C:\Users\Public\1171.0,DF
            4⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\ProgramData\klga\klga.exe
              "C:\ProgramData\klga\klga.exe"
              5⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe FJFTZ
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3808
                • C:\Windows\system32\PING.EXE
                  ping 8.8.7.7 -n 2
                  7⤵
                  • Runs ping.exe
                  PID:2892
                • C:\ProgramData\klga\klga.exe
                  C:\ProgramData\klga\klga.exe FJFTZ
                  7⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:732
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe ROU5
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:500
                    • C:\Windows\system32\PING.EXE
                      ping 8.8.7.7 -n 2
                      9⤵
                      • Runs ping.exe
                      PID:2888
                    • C:\ProgramData\klga\klga.exe
                      C:\ProgramData\klga\klga.exe ROU5
                      9⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious use of WriteProcessMemory
                      PID:1588
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe PKFXLK
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:852
                        • C:\Windows\system32\PING.EXE
                          ping 8.8.7.7 -n 2
                          11⤵
                          • Runs ping.exe
                          PID:3864
                        • C:\ProgramData\klga\klga.exe
                          C:\ProgramData\klga\klga.exe PKFXLK
                          11⤵
                          • Executes dropped EXE
                          PID:4032

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/732-27-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

      Filesize

      344KB

    • memory/1588-33-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

      Filesize

      344KB

    • memory/1864-21-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

      Filesize

      344KB

    • memory/1864-22-0x0000000180000000-0x0000000180023000-memory.dmp

      Filesize

      140KB

    • memory/3116-4-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

      Filesize

      64KB

    • memory/3116-5-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

      Filesize

      64KB

    • memory/3116-3-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

      Filesize

      64KB

    • memory/3116-6-0x00007FF81FB70000-0x00007FF8201A7000-memory.dmp

      Filesize

      6.2MB

    • memory/3116-2-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

      Filesize

      64KB

    • memory/3896-14-0x0000000002B30000-0x0000000002B39000-memory.dmp

      Filesize

      36KB

    • memory/3896-15-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

    • memory/3896-16-0x0000000002BE0000-0x0000000002BE5000-memory.dmp

      Filesize

      20KB

    • memory/3896-17-0x0000000002B20000-0x0000000002B26000-memory.dmp

      Filesize

      24KB

    • memory/4032-39-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

      Filesize

      344KB