Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
31-03-2021 19:27
Behavioral task
behavioral1
Sample
subscription_1617218228.xlsb
Resource
win7v20201028
Behavioral task
behavioral2
Sample
subscription_1617218228.xlsb
Resource
win10v20201028
General
-
Target
subscription_1617218228.xlsb
-
Size
240KB
-
MD5
cc029b8675d3b262564d4d81c6008d5b
-
SHA1
8ff96b31ed0dc8689d868dcabc610aa3efbbe13c
-
SHA256
8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7
-
SHA512
ab67497eb40b043ad18e6346eedbb906ce9411b660ae4ccb0b7939b891625fa324a0f505737251748ccc0874b85e0a6f453920d01d890e2e48f617821432ae61
Malware Config
Extracted
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 864 1832 cmd.exe EXCEL.EXE Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1260 1832 rundll32.exe EXCEL.EXE -
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1920-19-0x0000000000230000-0x0000000000264000-memory.dmp BazarLoaderVar6 behavioral1/memory/292-23-0x0000000000240000-0x0000000000274000-memory.dmp BazarLoaderVar6 -
Nloader Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1260-14-0x00000000001A0000-0x00000000001A5000-memory.dmp nloader -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 5 1260 rundll32.exe 6 1260 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
fjlq.exefjlq.exepid process 1920 fjlq.exe 292 fjlq.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 103 omaswyom.bazar 109 meoxwyyw.bazar 110 reuxwyre.bazar 116 mekyygom.bazar 86 vidiekre.bazar 34 evoxygom.bazar 63 meezwyom.bazar 91 ywkyavre.bazar 117 ewezygom.bazar 25 bestsightsofwildaustralia.bazar 96 meqaekre.bazar 100 mequygom.bazar 68 ygixwyom.bazar 101 sosiygvi.bazar 123 tosiwyyw.bazar 133 waanygyw.bazar 53 toxiwyom.bazar 41 udxoekvi.bazar 44 avxowyre.bazar 47 avqaekvi.bazar 65 onasekvi.bazar 87 avixavvi.bazar 24 vacationinsydney2021.bazar 46 reqaavyw.bazar 83 udaswyom.bazar 89 onqaekom.bazar 112 onasavyw.bazar 36 udsiavyw.bazar 81 toasavyw.bazar 105 reohavvi.bazar 125 wawoygyw.bazar 72 yzdiygvi.bazar 104 ywxiavyw.bazar 79 ywqaekyw.bazar 90 viasavom.bazar 126 ywqaavvi.bazar 128 evasekre.bazar 137 ekraavre.bazar 38 yrquavom.bazar 49 reoxwyre.bazar 51 udraekom.bazar 74 onrawyvi.bazar 94 measygom.bazar 30 eksiekom.bazar 48 reoxwyre.bazar 58 ewxiygom.bazar 32 ekquwyyw.bazar 52 ewuxekom.bazar 59 vixiavyw.bazar 84 udgywyre.bazar 136 omxoygvi.bazar 42 ewwoekyw.bazar 29 udohygyw.bazar 106 eksiwyyw.bazar 113 sowoekyw.bazar 114 avgywyvi.bazar 27 avgyygre.bazar 66 avgywyom.bazar 118 toohavyw.bazar 60 ekixekre.bazar 62 yzxoekyw.bazar 92 evquekyw.bazar 121 ywixekyw.bazar 135 soraavvi.bazar -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1260 rundll32.exe 1260 rundll32.exe 1260 rundll32.exe 876 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 19 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE -
Processes:
fjlq.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 fjlq.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 fjlq.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1832 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEpid process 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE 1832 EXCEL.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
EXCEL.EXEcmd.exerundll32.exedescription pid process target process PID 1832 wrote to memory of 864 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 864 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 864 1832 EXCEL.EXE cmd.exe PID 1832 wrote to memory of 864 1832 EXCEL.EXE cmd.exe PID 864 wrote to memory of 1092 864 cmd.exe certutil.exe PID 864 wrote to memory of 1092 864 cmd.exe certutil.exe PID 864 wrote to memory of 1092 864 cmd.exe certutil.exe PID 864 wrote to memory of 1092 864 cmd.exe certutil.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1832 wrote to memory of 1260 1832 EXCEL.EXE rundll32.exe PID 1260 wrote to memory of 1920 1260 rundll32.exe fjlq.exe PID 1260 wrote to memory of 1920 1260 rundll32.exe fjlq.exe PID 1260 wrote to memory of 1920 1260 rundll32.exe fjlq.exe PID 1260 wrote to memory of 1920 1260 rundll32.exe fjlq.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617218228.xlsb1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c certutil -decode %PUBLIC%\18482.bki %PUBLIC%\18482.xoq2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\certutil.execertutil -decode C:\Users\Public\18482.bki C:\Users\Public\18482.xoq3⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\18482.xoq,DF12⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\fjlq\fjlq.exe"C:\ProgramData\fjlq\fjlq.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\ProgramData\fjlq\fjlq.exeC:\ProgramData\fjlq\fjlq.exe 9487746541⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
C:\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
C:\Users\Public\18482.bkiMD5
28d777c925eecd3dd03b7d342161e57b
SHA15530e73a70e4a6684f3dc726daf6b33b6809429d
SHA2567b4bdba416484dd49f169cb8de35fbe94ec6924c298a333bf9297182d1a1bfc5
SHA512d66fece28c293adcbef49d7043297480d21fe6fd607ca4d406da701a23b2c79047cbe58bf7daff293c000c9c04b777de1252637573ca74bef73934df82070f3c
-
C:\Users\Public\18482.xoqMD5
21068adcd7b6662375e49d5892724292
SHA1db01d964626ed80eab51e3705ca4cdf501a061ca
SHA25600d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d
SHA51246b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9
-
\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
\Users\Public\18482.xoqMD5
21068adcd7b6662375e49d5892724292
SHA1db01d964626ed80eab51e3705ca4cdf501a061ca
SHA25600d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d
SHA51246b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9
-
memory/292-23-0x0000000000240000-0x0000000000274000-memory.dmpFilesize
208KB
-
memory/524-5-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmpFilesize
2.5MB
-
memory/864-6-0x0000000000000000-mapping.dmp
-
memory/1092-8-0x0000000076371000-0x0000000076373000-memory.dmpFilesize
8KB
-
memory/1092-7-0x0000000000000000-mapping.dmp
-
memory/1260-14-0x00000000001A0000-0x00000000001A5000-memory.dmpFilesize
20KB
-
memory/1260-10-0x0000000000000000-mapping.dmp
-
memory/1832-4-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1832-2-0x000000002FCA1000-0x000000002FCA4000-memory.dmpFilesize
12KB
-
memory/1832-3-0x00000000717F1000-0x00000000717F3000-memory.dmpFilesize
8KB
-
memory/1920-17-0x0000000000000000-mapping.dmp
-
memory/1920-20-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmpFilesize
8KB
-
memory/1920-19-0x0000000000230000-0x0000000000264000-memory.dmpFilesize
208KB