Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
31-03-2021 19:27
Behavioral task
behavioral1
Sample
subscription_1617218228.xlsb
Resource
win7v20201028
Behavioral task
behavioral2
Sample
subscription_1617218228.xlsb
Resource
win10v20201028
General
-
Target
subscription_1617218228.xlsb
-
Size
240KB
-
MD5
cc029b8675d3b262564d4d81c6008d5b
-
SHA1
8ff96b31ed0dc8689d868dcabc610aa3efbbe13c
-
SHA256
8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7
-
SHA512
ab67497eb40b043ad18e6346eedbb906ce9411b660ae4ccb0b7939b891625fa324a0f505737251748ccc0874b85e0a6f453920d01d890e2e48f617821432ae61
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.exerundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 3776 3116 cmd.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 2784 3116 rundll32.exe EXCEL.EXE -
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1792-19-0x00000268FAAE0000-0x00000268FAB14000-memory.dmp BazarLoaderVar6 behavioral2/memory/2888-29-0x0000029255AD0000-0x0000029255B04000-memory.dmp BazarLoaderVar6 -
Nloader Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3712-14-0x00000000004E0000-0x00000000004E5000-memory.dmp nloader -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 32 3712 rundll32.exe 33 3712 rundll32.exe -
Executes dropped EXE 2 IoCs
Processes:
fjlq.exefjlq.exepid process 1792 fjlq.exe 2888 fjlq.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 129 ekasekyw.bazar 204 yggyavre.bazar 348 ygxiekom.bazar 288 ersiekyw.bazar 258 ywkyekvi.bazar 260 meixygvi.bazar 289 omsiekvi.bazar 290 omoxekre.bazar 309 requekvi.bazar 57 mexoekvi.bazar 132 soohygom.bazar 188 yzdiavom.bazar 212 ywanwyvi.bazar 277 ywxiavom.bazar 305 reanavyw.bazar 316 yzdiwyyw.bazar 338 onwoygyw.bazar 64 ekdiwyom.bazar 97 meoxavre.bazar 179 evsiekre.bazar 98 meleavre.bazar 232 regywyyw.bazar 306 udapwyyw.bazar 103 ekixavvi.bazar 164 omapwyre.bazar 333 vikyavre.bazar 238 soohygvi.bazar 244 ewquwyre.bazar 249 vixoygyw.bazar 144 evleekom.bazar 186 vikyekyw.bazar 213 yrgyygom.bazar 272 reezavre.bazar 121 wauxwyre.bazar 137 soraygyw.bazar 184 ywoxekre.bazar 203 eranekom.bazar 257 evwoygyw.bazar 293 waanavom.bazar 301 yrgyekre.bazar 324 ygezekom.bazar 118 ewqaekre.bazar 195 ygdiekom.bazar 200 wyxowyre.bazar 156 avwoygre.bazar 209 ygixygom.bazar 250 yroxygvi.bazar 274 viaswyvi.bazar 337 waoxygyw.bazar 345 wykyavom.bazar 125 yrapygvi.bazar 176 omxoekom.bazar 211 avquavom.bazar 357 ekraavvi.bazar 113 wywoekvi.bazar 120 avoxwyyw.bazar 167 udxiwyom.bazar 145 udezekvi.bazar 251 yrxowyyw.bazar 256 yrquekre.bazar 63 avrawyom.bazar 91 udixygom.bazar 92 ekapwyyw.bazar 190 ewdiekvi.bazar -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3712 rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3116 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE 3116 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
EXCEL.EXEcmd.exerundll32.exerundll32.exedescription pid process target process PID 3116 wrote to memory of 3776 3116 EXCEL.EXE cmd.exe PID 3116 wrote to memory of 3776 3116 EXCEL.EXE cmd.exe PID 3776 wrote to memory of 3952 3776 cmd.exe certutil.exe PID 3776 wrote to memory of 3952 3776 cmd.exe certutil.exe PID 3116 wrote to memory of 2784 3116 EXCEL.EXE rundll32.exe PID 3116 wrote to memory of 2784 3116 EXCEL.EXE rundll32.exe PID 2784 wrote to memory of 3712 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 3712 2784 rundll32.exe rundll32.exe PID 2784 wrote to memory of 3712 2784 rundll32.exe rundll32.exe PID 3712 wrote to memory of 1792 3712 rundll32.exe fjlq.exe PID 3712 wrote to memory of 1792 3712 rundll32.exe fjlq.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617218228.xlsb"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c certutil -decode %PUBLIC%\18482.bki %PUBLIC%\18482.xoq2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -decode C:\Users\Public\18482.bki C:\Users\Public\18482.xoq3⤵
-
C:\Windows\SYSTEM32\rundll32.exerundll32 C:\Users\Public\18482.xoq,DF12⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Users\Public\18482.xoq,DF13⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\fjlq\fjlq.exe"C:\ProgramData\fjlq\fjlq.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\fjlq\fjlq.exeC:\ProgramData\fjlq\fjlq.exe 13746274301⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
C:\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
C:\ProgramData\fjlq\fjlq.exeMD5
68defeb5cbf90fac11e4db64d2e39ab5
SHA1cd440bd01a0448ebc123bdc5fefbfb77ddc0a095
SHA256fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
SHA512897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af
-
C:\Users\Public\18482.bkiMD5
28d777c925eecd3dd03b7d342161e57b
SHA15530e73a70e4a6684f3dc726daf6b33b6809429d
SHA2567b4bdba416484dd49f169cb8de35fbe94ec6924c298a333bf9297182d1a1bfc5
SHA512d66fece28c293adcbef49d7043297480d21fe6fd607ca4d406da701a23b2c79047cbe58bf7daff293c000c9c04b777de1252637573ca74bef73934df82070f3c
-
C:\Users\Public\18482.xoqMD5
21068adcd7b6662375e49d5892724292
SHA1db01d964626ed80eab51e3705ca4cdf501a061ca
SHA25600d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d
SHA51246b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9
-
\Users\Public\18482.xoqMD5
21068adcd7b6662375e49d5892724292
SHA1db01d964626ed80eab51e3705ca4cdf501a061ca
SHA25600d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d
SHA51246b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9
-
memory/1792-19-0x00000268FAAE0000-0x00000268FAB14000-memory.dmpFilesize
208KB
-
memory/1792-15-0x0000000000000000-mapping.dmp
-
memory/2784-10-0x0000000000000000-mapping.dmp
-
memory/2888-29-0x0000029255AD0000-0x0000029255B04000-memory.dmpFilesize
208KB
-
memory/3116-6-0x00007FF81FB20000-0x00007FF820157000-memory.dmpFilesize
6.2MB
-
memory/3116-2-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmpFilesize
64KB
-
memory/3116-5-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmpFilesize
64KB
-
memory/3116-4-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmpFilesize
64KB
-
memory/3116-3-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmpFilesize
64KB
-
memory/3712-12-0x0000000000000000-mapping.dmp
-
memory/3712-14-0x00000000004E0000-0x00000000004E5000-memory.dmpFilesize
20KB
-
memory/3776-7-0x0000000000000000-mapping.dmp
-
memory/3952-8-0x0000000000000000-mapping.dmp