Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-03-2021 15:42
Behavioral task
behavioral1
Sample
subscription_1616167805.xlsb
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
subscription_1616167805.xlsb
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
subscription_1616167805.xlsb
-
Size
328KB
-
MD5
d17e780a23c19a5ce5c2a0d4abc19b55
-
SHA1
d3d73e9f08cb6d880dc163149d352a197dac7300
-
SHA256
056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7
-
SHA512
df94d5473166e9d73ee27a37793fa3bbdee409692cee61696b3dd7bf79c3604da14a09a7e27becf17fd59ab267fd8f6548026b7d5da232253800f0ee94602cab
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3524 3116 cmd.exe 67 -
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/1864-22-0x0000000180000000-0x0000000180023000-memory.dmp BazarLoaderVar1 -
Nloader Payload 4 IoCs
resource yara_rule behavioral2/memory/3896-14-0x0000000002B30000-0x0000000002B39000-memory.dmp nloader behavioral2/memory/3896-15-0x0000000010000000-0x0000000010007000-memory.dmp nloader behavioral2/memory/3896-16-0x0000000002BE0000-0x0000000002BE5000-memory.dmp nloader behavioral2/memory/3896-17-0x0000000002B20000-0x0000000002B26000-memory.dmp nloader -
Blocklisted process makes network request 2 IoCs
flow pid Process 22 3896 rundll32.exe 30 3896 rundll32.exe -
Executes dropped EXE 4 IoCs
pid Process 1864 klga.exe 732 klga.exe 1588 klga.exe 4032 klga.exe -
Loads dropped DLL 1 IoCs
pid Process 3896 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce klga.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DJ1Z41273 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v XXGBWZFSP7 /t REG_SZ /d \"C:\\ProgramData\\klga\\klga.exe PKFXLK\" & start \"H\" C:\\ProgramData\\klga\\klga.exe PKFXLK" klga.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2892 PING.EXE 2888 PING.EXE 3864 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3116 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1864 klga.exe 1864 klga.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 3116 wrote to memory of 3524 3116 EXCEL.EXE 77 PID 3116 wrote to memory of 3524 3116 EXCEL.EXE 77 PID 3524 wrote to memory of 1328 3524 cmd.exe 79 PID 3524 wrote to memory of 1328 3524 cmd.exe 79 PID 3524 wrote to memory of 1816 3524 cmd.exe 80 PID 3524 wrote to memory of 1816 3524 cmd.exe 80 PID 1816 wrote to memory of 3896 1816 rundll32.exe 82 PID 1816 wrote to memory of 3896 1816 rundll32.exe 82 PID 1816 wrote to memory of 3896 1816 rundll32.exe 82 PID 3896 wrote to memory of 1864 3896 rundll32.exe 87 PID 3896 wrote to memory of 1864 3896 rundll32.exe 87 PID 1864 wrote to memory of 3808 1864 klga.exe 88 PID 1864 wrote to memory of 3808 1864 klga.exe 88 PID 3808 wrote to memory of 2892 3808 cmd.exe 90 PID 3808 wrote to memory of 2892 3808 cmd.exe 90 PID 3808 wrote to memory of 732 3808 cmd.exe 91 PID 3808 wrote to memory of 732 3808 cmd.exe 91 PID 732 wrote to memory of 500 732 klga.exe 92 PID 732 wrote to memory of 500 732 klga.exe 92 PID 500 wrote to memory of 2888 500 cmd.exe 94 PID 500 wrote to memory of 2888 500 cmd.exe 94 PID 500 wrote to memory of 1588 500 cmd.exe 95 PID 500 wrote to memory of 1588 500 cmd.exe 95 PID 1588 wrote to memory of 852 1588 klga.exe 96 PID 1588 wrote to memory of 852 1588 klga.exe 96 PID 852 wrote to memory of 3864 852 cmd.exe 98 PID 852 wrote to memory of 3864 852 cmd.exe 98 PID 852 wrote to memory of 4032 852 cmd.exe 99 PID 852 wrote to memory of 4032 852 cmd.exe 99
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1616167805.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0 && rundll32 C:\Users\Public\1171.0,DF2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\certutil.execertutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.03⤵PID:1328
-
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Public\1171.0,DF3⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\1171.0,DF4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\ProgramData\klga\klga.exe"C:\ProgramData\klga\klga.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe FJFTZ6⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\PING.EXEping 8.8.7.7 -n 27⤵
- Runs ping.exe
PID:2892
-
-
C:\ProgramData\klga\klga.exeC:\ProgramData\klga\klga.exe FJFTZ7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe ROU58⤵
- Suspicious use of WriteProcessMemory
PID:500 -
C:\Windows\system32\PING.EXEping 8.8.7.7 -n 29⤵
- Runs ping.exe
PID:2888
-
-
C:\ProgramData\klga\klga.exeC:\ProgramData\klga\klga.exe ROU59⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe PKFXLK10⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\system32\PING.EXEping 8.8.7.7 -n 211⤵
- Runs ping.exe
PID:3864
-
-
C:\ProgramData\klga\klga.exeC:\ProgramData\klga\klga.exe PKFXLK11⤵
- Executes dropped EXE
PID:4032
-
-
-
-
-
-
-
-
-
-