bazarloader | dcb029418fd909a3ff32dce12580d4f09a1e49367b6295032b2fc9d94c3e4de4

Analysis

max time kernel
96s
max time network
17s
platform
windows7_x64
resource
win7v20201028
submitted
26-03-2021 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subscription_1616715716.xlsb

Score

10^/10

bazarloader nloader dropper loader upx

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1084	1888	cmd.exe	EXCEL.EXE

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Public\12394.fl5	acprotect
\Users\Public\12394.fl5	acprotect

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/804-20-0x0000000002630000-0x0000000002682000-memory.dmp	BazarLoaderVar5
behavioral1/memory/804-21-0x0000000180000000-0x0000000180053000-memory.dmp	BazarLoaderVar5
behavioral1/memory/804-22-0x0000000000360000-0x00000000003B0000-memory.dmp	BazarLoaderVar5

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1100-14-0x0000000010000000-0x0000000010005000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

3 1100 rundll32.exe
4 1100 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

dwug.exedwug.exe

pid process

804 dwug.exe
1920 dwug.exe

flow	pid	process
3	1100	rundll32.exe
4	1100	rundll32.exe

pid	process
804	dwug.exe
1920	dwug.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Public\12394.fl5	upx
\Users\Public\12394.fl5	upx

Loads dropped DLL 3 IoCs

Processes:

rundll32.exe

pid process

1100 rundll32.exe
1100 rundll32.exe
1100 rundll32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1100	rundll32.exe
1100	rundll32.exe
1100	rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1888 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEdwug.exedwug.exe

pid process

1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE
804 dwug.exe
1920 dwug.exe

pid	process
1888	EXCEL.EXE

pid	process
1888	EXCEL.EXE
1888	EXCEL.EXE
1888	EXCEL.EXE
804	dwug.exe
1920	dwug.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exedwug.exe

description	pid	process	target process
PID 1888 wrote to memory of 1084	1888	EXCEL.EXE	cmd.exe
PID 1888 wrote to memory of 1084	1888	EXCEL.EXE	cmd.exe
PID 1888 wrote to memory of 1084	1888	EXCEL.EXE	cmd.exe
PID 1888 wrote to memory of 1084	1888	EXCEL.EXE	cmd.exe
PID 1084 wrote to memory of 392	1084	cmd.exe	certutil.exe
PID 1084 wrote to memory of 392	1084	cmd.exe	certutil.exe
PID 1084 wrote to memory of 392	1084	cmd.exe	certutil.exe
PID 1084 wrote to memory of 392	1084	cmd.exe	certutil.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1084 wrote to memory of 1100	1084	cmd.exe	rundll32.exe
PID 1100 wrote to memory of 804	1100	rundll32.exe	dwug.exe
PID 1100 wrote to memory of 804	1100	rundll32.exe	dwug.exe
PID 1100 wrote to memory of 804	1100	rundll32.exe	dwug.exe
PID 1100 wrote to memory of 804	1100	rundll32.exe	dwug.exe
PID 804 wrote to memory of 1920	804	dwug.exe	dwug.exe
PID 804 wrote to memory of 1920	804	dwug.exe	dwug.exe
PID 804 wrote to memory of 1920	804	dwug.exe	dwug.exe
PID 804 wrote to memory of 1920	804	dwug.exe	dwug.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1616715716.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\12394.xps %PUBLIC%\12394.fl5 && rundll32 %PUBLIC%\12394.fl5,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\12394.xps C:\Users\Public\12394.fl5
3⤵
PID:392

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\12394.fl5,DF1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\ProgramData\dwug\dwug.exe
"C:\ProgramData\dwug\dwug.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\ProgramData\dwug\dwug.exe
"C:\ProgramData\dwug\dwug.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dwug\dwug.exe

MD5
b5cb5ac79b76d8db06f631e4ab461074

SHA1
64c711c1b2d2297a17a548778f8bfa3ed7fae232

SHA256
d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

SHA512
03ba6e92c1ca88071a8b9f41e9f102df05a261af2507c4b19d7705509e259e3d51d05418cb42c7252bf6d9313ede86a1035e83ea421c8abda1ca865ba3f4d649

Download Submit
C:\ProgramData\dwug\dwug.exe

MD5
b5cb5ac79b76d8db06f631e4ab461074

SHA1
64c711c1b2d2297a17a548778f8bfa3ed7fae232

SHA256
d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

SHA512
03ba6e92c1ca88071a8b9f41e9f102df05a261af2507c4b19d7705509e259e3d51d05418cb42c7252bf6d9313ede86a1035e83ea421c8abda1ca865ba3f4d649

Download Submit
C:\ProgramData\dwug\dwug.exe

MD5
b5cb5ac79b76d8db06f631e4ab461074

SHA1
64c711c1b2d2297a17a548778f8bfa3ed7fae232

SHA256
d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

SHA512
03ba6e92c1ca88071a8b9f41e9f102df05a261af2507c4b19d7705509e259e3d51d05418cb42c7252bf6d9313ede86a1035e83ea421c8abda1ca865ba3f4d649

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
f6a96c2e6f6d4c3b128da6d7b835783e

SHA1
2acb8fe085a14d38c166ac3f2151623ffb796efd

SHA256
7b616dc4a6fb6c0ae913d2a259a4f044508680a2e3a722bfed8551905171a749

SHA512
04c2f562b48197f987a68e48644ea425acfb8a1ecca4c72e088dbfb47e2e0680ea7574d0c617725dc1bce794c50f7ace16689db1ad564cafa6f4d06e51843cb7

Download Submit
C:\Users\Public\12394.fl5

MD5
5e61a7988375efe18897ff264b7c81b8

SHA1
8a487c189edd6e3cc32cee7709aa4e0c21d07491

SHA256
7aa4cb052ddfbccac10bdfeae585f15fa4bfbeadea5ece649234fcbc9fec2955

SHA512
14e3a48cad4e4d5ba848a793fd304dec5416a6652394241db91d7d029b205e252bf3d3c77dafe4a587a4748d6a558ba7ec3d417d211b6f58fc00b794ed7eb788

Download Submit
C:\Users\Public\12394.xps

MD5
8bd77cfc1367b015ae4b41271ef0f917

SHA1
d406dd185e1d2eb7a40d41818202a3e37192dc93

SHA256
27f6411f25ea347e2a6ad3a220f4be92fa57ed09bcc7f3098376dc9d12586b08

SHA512
58de781827db0cdd6ed4f1f11c02be1babc19787c0d79a4fae9ecb5a93c84fdb8bb239e7b2e90248b6f8d81213326aef535244024485b7bd46da61bd7f82c018

Download Submit
\ProgramData\dwug\dwug.exe

MD5
b5cb5ac79b76d8db06f631e4ab461074

SHA1
64c711c1b2d2297a17a548778f8bfa3ed7fae232

SHA256
d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

SHA512
03ba6e92c1ca88071a8b9f41e9f102df05a261af2507c4b19d7705509e259e3d51d05418cb42c7252bf6d9313ede86a1035e83ea421c8abda1ca865ba3f4d649

Download Submit
\ProgramData\dwug\dwug.exe

MD5
b5cb5ac79b76d8db06f631e4ab461074

SHA1
64c711c1b2d2297a17a548778f8bfa3ed7fae232

SHA256
d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

SHA512
03ba6e92c1ca88071a8b9f41e9f102df05a261af2507c4b19d7705509e259e3d51d05418cb42c7252bf6d9313ede86a1035e83ea421c8abda1ca865ba3f4d649

Download Submit
\Users\Public\12394.fl5

MD5
5e61a7988375efe18897ff264b7c81b8

SHA1
8a487c189edd6e3cc32cee7709aa4e0c21d07491

SHA256
7aa4cb052ddfbccac10bdfeae585f15fa4bfbeadea5ece649234fcbc9fec2955

SHA512
14e3a48cad4e4d5ba848a793fd304dec5416a6652394241db91d7d029b205e252bf3d3c77dafe4a587a4748d6a558ba7ec3d417d211b6f58fc00b794ed7eb788

Download Submit
memory/284-5-0x000007FEF5F60000-0x000007FEF61DA000-memory.dmp

Filesize
2.5MB

Download
memory/392-8-0x0000000075781000-0x0000000075783000-memory.dmp

Filesize
8KB

Download
memory/392-7-0x0000000000000000-mapping.dmp

Download
memory/804-17-0x0000000000000000-mapping.dmp

Download
memory/804-20-0x0000000002630000-0x0000000002682000-memory.dmp

Filesize
328KB

Download
memory/804-21-0x0000000180000000-0x0000000180053000-memory.dmp

Filesize
332KB

Download
memory/804-22-0x0000000000360000-0x00000000003B0000-memory.dmp

Filesize
320KB

Download
memory/1084-6-0x0000000000000000-mapping.dmp

Download
memory/1100-14-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1100-10-0x0000000000000000-mapping.dmp

Download
memory/1888-2-0x000000002F201000-0x000000002F204000-memory.dmp

Filesize
12KB

Download
memory/1888-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-3-0x0000000071271000-0x0000000071273000-memory.dmp

Filesize
8KB

Download
memory/1920-23-0x0000000000000000-mapping.dmp

Download