bazarloader | 785cee1832087169cb5ea280304865f96fa3ca42d6af6b97acb0204837d6c4d6

Analysis

max time kernel
150s
max time network
141s
platform
windows10_x64
resource
win10v20201028
submitted
29-03-2021 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subscription_1617037035.xlsb
Size

176KB
MD5

94dee992c9b32337944c537faad98fc3
SHA1

03028e9d85889ef3f6d7a202fa8b48d4f28189cc
SHA256

785cee1832087169cb5ea280304865f96fa3ca42d6af6b97acb0204837d6c4d6
SHA512

d47f9b88624e14a4f8b7cc0e1ad0aac7450d1699527f7997ec098e5ce023f2d713296cafa35aee4199dd1ef93236928454c9e60a342b4a0f70902833d85ac5fd

Score

10^/10

bazarloader nloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2092	648	cmd.exe	EXCEL.EXE

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2076-22-0x0000000180000000-0x0000000180032000-memory.dmp	BazarLoaderVar1

Nloader Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1712-14-0x0000000002B50000-0x0000000002B59000-memory.dmp	nloader
behavioral2/memory/1712-15-0x0000000002B60000-0x0000000002B67000-memory.dmp	nloader
behavioral2/memory/1712-16-0x0000000002D40000-0x0000000002D45000-memory.dmp	nloader
behavioral2/memory/1712-17-0x00000000005F0000-0x00000000005F6000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

13 1712 rundll32.exe
26 1712 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

huqvg.exehuqvg.exeRCCD63C.exeRCCD63C.exe

pid process

2076 huqvg.exe
3848 huqvg.exe
1068 RCCD63C.exe
2000 RCCD63C.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1712 rundll32.exe

flow	pid	process
13	1712	rundll32.exe
26	1712	rundll32.exe

pid	process
2076	huqvg.exe
3848	huqvg.exe
1068	RCCD63C.exe
2000	RCCD63C.exe

pid	process
1712	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RCCD63C.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RCCD63C.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BFFLSPUL8 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v R5MMYFWEP2 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RCCD63C.exe\\\" B7TP738\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RCCD63C.exe\" B7TP738"	RCCD63C.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3840 PING.EXE
2088 PING.EXE
3908 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

648 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

huqvg.exe

pid process

2076 huqvg.exe
2076 huqvg.exe

pid	process
3840	PING.EXE
2088	PING.EXE
3908	PING.EXE

pid	process
2076	huqvg.exe
2076	huqvg.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE
648	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exehuqvg.execmd.exehuqvg.execmd.exeRCCD63C.execmd.exe

description	pid	process	target process
PID 648 wrote to memory of 2092	648	EXCEL.EXE	cmd.exe
PID 648 wrote to memory of 2092	648	EXCEL.EXE	cmd.exe
PID 2092 wrote to memory of 1924	2092	cmd.exe	certutil.exe
PID 2092 wrote to memory of 1924	2092	cmd.exe	certutil.exe
PID 2092 wrote to memory of 3548	2092	cmd.exe	rundll32.exe
PID 2092 wrote to memory of 3548	2092	cmd.exe	rundll32.exe
PID 3548 wrote to memory of 1712	3548	rundll32.exe	rundll32.exe
PID 3548 wrote to memory of 1712	3548	rundll32.exe	rundll32.exe
PID 3548 wrote to memory of 1712	3548	rundll32.exe	rundll32.exe
PID 1712 wrote to memory of 2076	1712	rundll32.exe	huqvg.exe
PID 1712 wrote to memory of 2076	1712	rundll32.exe	huqvg.exe
PID 2076 wrote to memory of 3612	2076	huqvg.exe	cmd.exe
PID 2076 wrote to memory of 3612	2076	huqvg.exe	cmd.exe
PID 3612 wrote to memory of 3840	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 3840	3612	cmd.exe	PING.EXE
PID 3612 wrote to memory of 3848	3612	cmd.exe	huqvg.exe
PID 3612 wrote to memory of 3848	3612	cmd.exe	huqvg.exe
PID 3848 wrote to memory of 1224	3848	huqvg.exe	cmd.exe
PID 3848 wrote to memory of 1224	3848	huqvg.exe	cmd.exe
PID 1224 wrote to memory of 2088	1224	cmd.exe	PING.EXE
PID 1224 wrote to memory of 2088	1224	cmd.exe	PING.EXE
PID 1224 wrote to memory of 1068	1224	cmd.exe	RCCD63C.exe
PID 1224 wrote to memory of 1068	1224	cmd.exe	RCCD63C.exe
PID 1068 wrote to memory of 1580	1068	RCCD63C.exe	cmd.exe
PID 1068 wrote to memory of 1580	1068	RCCD63C.exe	cmd.exe
PID 1580 wrote to memory of 3908	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 3908	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 2000	1580	cmd.exe	RCCD63C.exe
PID 1580 wrote to memory of 2000	1580	cmd.exe	RCCD63C.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617037035.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1 && rundll32 %PUBLIC%\4123.do1,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
3⤵
PID:1924

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\4123.do1,DF1
3⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\4123.do1,DF1
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\ProgramData\huqvg\huqvg.exe
"C:\ProgramData\huqvg\huqvg.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\ProgramData\huqvg\huqvg.exe BC2NS
6⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:3840

C:\ProgramData\huqvg\huqvg.exe
C:\ProgramData\huqvg\huqvg.exe BC2NS
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe DC8E
8⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
9⤵
- Runs ping.exe
PID:2088

C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe
C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe DC8E
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe B7TP738
10⤵
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
11⤵
- Runs ping.exe
PID:3908

C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe
C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe B7TP738
11⤵
- Executes dropped EXE
PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\huqvg\huqvg.exe

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\ProgramData\huqvg\huqvg.exe

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\ProgramData\huqvg\huqvg.exe

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCCD63C.exe

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\Users\Public\4123.do1

MD5
f776deb4df137b37dcae5406c8f3a07a

SHA1
f6a31b594fca39c118927405fa4d14353b8fd49a

SHA256
93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

SHA512
4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

Download Submit
C:\Users\Public\4123.xsg

MD5
c87e1dee1275fed1f7ee813b97ccb17b

SHA1
e8313978e3c0dff6355b843cd470949c719032c6

SHA256
92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d

SHA512
2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35

Download Submit
\Users\Public\4123.do1

MD5
f776deb4df137b37dcae5406c8f3a07a

SHA1
f6a31b594fca39c118927405fa4d14353b8fd49a

SHA256
93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e

SHA512
4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2

Download Submit
memory/648-6-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/648-5-0x00007FF851B10000-0x00007FF852147000-memory.dmp

Filesize
6.2MB

Download
memory/648-4-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/648-2-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/648-3-0x00007FF82D760000-0x00007FF82D770000-memory.dmp

Filesize
64KB

Download
memory/1068-30-0x0000000000000000-mapping.dmp

Download
memory/1224-28-0x0000000000000000-mapping.dmp

Download
memory/1580-34-0x0000000000000000-mapping.dmp

Download
memory/1712-14-0x0000000002B50000-0x0000000002B59000-memory.dmp

Filesize
36KB

Download
memory/1712-17-0x00000000005F0000-0x00000000005F6000-memory.dmp

Filesize
24KB

Download
memory/1712-20-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1712-16-0x0000000002D40000-0x0000000002D45000-memory.dmp

Filesize
20KB

Download
memory/1712-15-0x0000000002B60000-0x0000000002B67000-memory.dmp

Filesize
28KB

Download
memory/1712-12-0x0000000000000000-mapping.dmp

Download
memory/1924-8-0x0000000000000000-mapping.dmp

Download
memory/2000-36-0x0000000000000000-mapping.dmp

Download
memory/2076-18-0x0000000000000000-mapping.dmp

Download
memory/2076-22-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download
memory/2088-29-0x0000000000000000-mapping.dmp

Download
memory/2092-7-0x0000000000000000-mapping.dmp

Download
memory/3548-10-0x0000000000000000-mapping.dmp

Download
memory/3612-23-0x0000000000000000-mapping.dmp

Download
memory/3840-24-0x0000000000000000-mapping.dmp

Download
memory/3848-25-0x0000000000000000-mapping.dmp

Download
memory/3908-35-0x0000000000000000-mapping.dmp

Download