bazarloader | 056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7

General

Target

subscription_1616167805.xlsb
Size

328KB
MD5

d17e780a23c19a5ce5c2a0d4abc19b55
SHA1

d3d73e9f08cb6d880dc163149d352a197dac7300
SHA256

056809e596895320397378f7f3ff4958107e48f4890a960229dcfbc32b7379b7
SHA512

df94d5473166e9d73ee27a37793fa3bbdee409692cee61696b3dd7bf79c3604da14a09a7e27becf17fd59ab267fd8f6548026b7d5da232253800f0ee94602cab

Score

10^/10

bazarloader nloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3524	3116	cmd.exe	EXCEL.EXE

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1864-22-0x0000000180000000-0x0000000180023000-memory.dmp	BazarLoaderVar1

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3896-14-0x0000000002B30000-0x0000000002B39000-memory.dmp	nloader
behavioral2/memory/3896-15-0x0000000010000000-0x0000000010007000-memory.dmp	nloader
behavioral2/memory/3896-16-0x0000000002BE0000-0x0000000002BE5000-memory.dmp	nloader
behavioral2/memory/3896-17-0x0000000002B20000-0x0000000002B26000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

22 3896 rundll32.exe
30 3896 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

klga.exeklga.exeklga.exeklga.exe

pid process

1864 klga.exe
732 klga.exe
1588 klga.exe
4032 klga.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3896 rundll32.exe

flow	pid	process
22	3896	rundll32.exe
30	3896	rundll32.exe

pid	process
1864	klga.exe
732	klga.exe
1588	klga.exe
4032	klga.exe

pid	process
3896	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

klga.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	klga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DJ1Z41273 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v XXGBWZFSP7 /t REG_SZ /d \"C:\\ProgramData\\klga\\klga.exe PKFXLK\" & start \"H\" C:\\ProgramData\\klga\\klga.exe PKFXLK"	klga.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2892 PING.EXE
2888 PING.EXE
3864 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3116 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

klga.exe

pid process

1864 klga.exe
1864 klga.exe

pid	process
2892	PING.EXE
2888	PING.EXE
3864	PING.EXE

pid	process
1864	klga.exe
1864	klga.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exeklga.execmd.exeklga.execmd.exeklga.execmd.exe

description	pid	process	target process
PID 3116 wrote to memory of 3524	3116	EXCEL.EXE	cmd.exe
PID 3116 wrote to memory of 3524	3116	EXCEL.EXE	cmd.exe
PID 3524 wrote to memory of 1328	3524	cmd.exe	certutil.exe
PID 3524 wrote to memory of 1328	3524	cmd.exe	certutil.exe
PID 3524 wrote to memory of 1816	3524	cmd.exe	rundll32.exe
PID 3524 wrote to memory of 1816	3524	cmd.exe	rundll32.exe
PID 1816 wrote to memory of 3896	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 3896	1816	rundll32.exe	rundll32.exe
PID 1816 wrote to memory of 3896	1816	rundll32.exe	rundll32.exe
PID 3896 wrote to memory of 1864	3896	rundll32.exe	klga.exe
PID 3896 wrote to memory of 1864	3896	rundll32.exe	klga.exe
PID 1864 wrote to memory of 3808	1864	klga.exe	cmd.exe
PID 1864 wrote to memory of 3808	1864	klga.exe	cmd.exe
PID 3808 wrote to memory of 2892	3808	cmd.exe	PING.EXE
PID 3808 wrote to memory of 2892	3808	cmd.exe	PING.EXE
PID 3808 wrote to memory of 732	3808	cmd.exe	klga.exe
PID 3808 wrote to memory of 732	3808	cmd.exe	klga.exe
PID 732 wrote to memory of 500	732	klga.exe	cmd.exe
PID 732 wrote to memory of 500	732	klga.exe	cmd.exe
PID 500 wrote to memory of 2888	500	cmd.exe	PING.EXE
PID 500 wrote to memory of 2888	500	cmd.exe	PING.EXE
PID 500 wrote to memory of 1588	500	cmd.exe	klga.exe
PID 500 wrote to memory of 1588	500	cmd.exe	klga.exe
PID 1588 wrote to memory of 852	1588	klga.exe	cmd.exe
PID 1588 wrote to memory of 852	1588	klga.exe	cmd.exe
PID 852 wrote to memory of 3864	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 3864	852	cmd.exe	PING.EXE
PID 852 wrote to memory of 4032	852	cmd.exe	klga.exe
PID 852 wrote to memory of 4032	852	cmd.exe	klga.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1616167805.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0 && rundll32 C:\Users\Public\1171.0,DF
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\certutil.exe
certutil -f -decode C:\Users\Public\1171.d0 C:\Users\Public\1171.0
3⤵
PID:1328

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\1171.0,DF
3⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\1171.0,DF
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3896

C:\ProgramData\klga\klga.exe
"C:\ProgramData\klga\klga.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe FJFTZ
6⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
7⤵
- Runs ping.exe
PID:2892

C:\ProgramData\klga\klga.exe
C:\ProgramData\klga\klga.exe FJFTZ
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe ROU5
8⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
9⤵
- Runs ping.exe
PID:2888

C:\ProgramData\klga\klga.exe
C:\ProgramData\klga\klga.exe ROU5
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\klga\klga.exe PKFXLK
10⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
11⤵
- Runs ping.exe
PID:3864

C:\ProgramData\klga\klga.exe
C:\ProgramData\klga\klga.exe PKFXLK
11⤵
- Executes dropped EXE
PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\klga\klga.exe

MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
C:\ProgramData\klga\klga.exe

MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
C:\ProgramData\klga\klga.exe

MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
C:\ProgramData\klga\klga.exe

MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
C:\ProgramData\klga\klga.exe

MD5
3b741d6798735efdae2d18c80716ee4b

SHA1
97628ead21544a7b7a065df10c2829207b5c4911

SHA256
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

SHA512
0cb4d710481cfd3cd918bc8d3ca88462fdea88330dbfebb0fabc5e6bc8f03562f08d2b8cf3499af721eceba667458b724a61fbc16729dbf531cf3dfe10d33ca1

Download Submit
C:\Users\Public\1171.0

MD5
480db4035b4be0d96a43f44b77947b9c

SHA1
de066e080a64b61325f747f1e021df07caeabc0b

SHA256
c63683a48bafacd5adf8814244142263f3b1033d053d50b93cc1f479b7dba98c

SHA512
81c310ca460348451a69ae4f3bf1dd2b720a772399e9f2dee5232a9df77798a06518f265087f9cd84d772ebb700799cd29f312d1d8eedf871bb0d630fb19e39a

Download Submit
C:\Users\Public\1171.d0

MD5
ce3590b97179ba87c9c71ae51378949a

SHA1
a435d40dc12fd837c5433eb4543d2b27200aa745

SHA256
67d178a28e2defbe4bfd95d38643b0ad6e35ef5597e97934bf93ca905968b0be

SHA512
7f263d15f13b1a4fd5e4ec272a86bbe5ba9972545fa25fb505eff4f875d0fe697a6acc5adaf25d3ec560771b56efe536d88edcced76ad74e3fcd3fc0c9ccef58

Download Submit
\Users\Public\1171.0

MD5
480db4035b4be0d96a43f44b77947b9c

SHA1
de066e080a64b61325f747f1e021df07caeabc0b

SHA256
c63683a48bafacd5adf8814244142263f3b1033d053d50b93cc1f479b7dba98c

SHA512
81c310ca460348451a69ae4f3bf1dd2b720a772399e9f2dee5232a9df77798a06518f265087f9cd84d772ebb700799cd29f312d1d8eedf871bb0d630fb19e39a

Download Submit
memory/500-29-0x0000000000000000-mapping.dmp

Download
memory/732-25-0x0000000000000000-mapping.dmp

Download
memory/732-27-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

Filesize
344KB

Download
memory/852-35-0x0000000000000000-mapping.dmp

Download
memory/1328-8-0x0000000000000000-mapping.dmp

Download
memory/1588-31-0x0000000000000000-mapping.dmp

Download
memory/1588-33-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

Filesize
344KB

Download
memory/1816-10-0x0000000000000000-mapping.dmp

Download
memory/1864-21-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

Filesize
344KB

Download
memory/1864-18-0x0000000000000000-mapping.dmp

Download
memory/1864-22-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/2888-30-0x0000000000000000-mapping.dmp

Download
memory/2892-24-0x0000000000000000-mapping.dmp

Download
memory/3116-4-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-5-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-3-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-6-0x00007FF81FB70000-0x00007FF8201A7000-memory.dmp

Filesize
6.2MB

Download
memory/3116-2-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3524-7-0x0000000000000000-mapping.dmp

Download
memory/3808-23-0x0000000000000000-mapping.dmp

Download
memory/3864-36-0x0000000000000000-mapping.dmp

Download
memory/3896-14-0x0000000002B30000-0x0000000002B39000-memory.dmp

Filesize
36KB

Download
memory/3896-12-0x0000000000000000-mapping.dmp

Download
memory/3896-15-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3896-16-0x0000000002BE0000-0x0000000002BE5000-memory.dmp

Filesize
20KB

Download
memory/3896-17-0x0000000002B20000-0x0000000002B26000-memory.dmp

Filesize
24KB

Download
memory/4032-37-0x0000000000000000-mapping.dmp

Download
memory/4032-39-0x00007FF6E3830000-0x00007FF6E3886000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads