Overview

overview

10

Static

static

8

subscripti...3.xlsb

windows7_x64

10

subscripti...3.xlsb

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01-04-2021 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    subscription_1617291613.xlsb

Score
10/10
bazarloadernloaderdropperloaderpersistence

Malware Config

Extracted

Language
xlm4.0
Source

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Nloader

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    loadernloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Bazar/Team9 Loader payload 5 IoCs
  • Nloader Payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617291613.xlsb
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\569390.pdi %PUBLIC%\569390.ui && rundll32 %PUBLIC%\569390.ui,DF1
      2⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\569390.pdi C:\Users\Public\569390.ui
        3⤵
          PID:1496
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Users\Public\569390.ui,DF1
          3⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\ProgramData\tkqyg\tkqyg.exe
            "C:\ProgramData\tkqyg\tkqyg.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:792
            • C:\Windows\system32\cmd.exe
              cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\tkqyg\tkqyg.exe QB2KET
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:944
              • C:\Windows\system32\PING.EXE
                ping 8.8.7.7 -n 2
                6⤵
                • Runs ping.exe
                PID:552
              • C:\ProgramData\tkqyg\tkqyg.exe
                C:\ProgramData\tkqyg\tkqyg.exe QB2KET
                6⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1384
                • C:\Windows\system32\cmd.exe
                  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe MEW1DLD
                  7⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:524
                  • C:\Windows\system32\PING.EXE
                    ping 8.8.7.7 -n 2
                    8⤵
                    • Runs ping.exe
                    PID:1328
                  • C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
                    C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe MEW1DLD
                    8⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious use of WriteProcessMemory
                    PID:2032
                    • C:\Windows\system32\cmd.exe
                      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\cPPB25E.exe O3PAB
                      9⤵
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:940
                      • C:\Windows\system32\PING.EXE
                        ping 8.8.7.7 -n 2
                        10⤵
                        • Runs ping.exe
                        PID:744
                      • C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
                        C:\Users\Admin\AppData\Local\Temp\cPPB25E.exe O3PAB
                        10⤵
                        • Executes dropped EXE
                        PID:1172

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/744-14-0x0000000000150000-0x0000000000155000-memory.dmp

      Filesize

      20KB

      Download

    • memory/792-19-0x0000000001BA0000-0x0000000001BC3000-memory.dmp

      Filesize

      140KB

      Download

    • memory/792-20-0x00000000001E0000-0x0000000000202000-memory.dmp

      Filesize

      136KB

      Download

    • memory/792-18-0x0000000000430000-0x0000000000455000-memory.dmp

      Filesize

      148KB

      Download

    • memory/1068-3-0x0000000071681000-0x0000000071683000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1068-2-0x000000002FF01000-0x000000002FF04000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1068-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1384-27-0x0000000001D40000-0x0000000001D63000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1496-8-0x00000000756C1000-0x00000000756C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1728-5-0x000007FEF6500000-0x000007FEF677A000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2032-37-0x0000000000350000-0x0000000000373000-memory.dmp

      Filesize

      140KB

      Download