subscription_1617291613.xlsb.zip

General
Target

subscription_1617291613.xlsb

Filesize

207KB

Completed

01-04-2021 18:56

Score
10 /10
Malware Config

Extracted

Language xlm4.0
Source
Signatures 16

Filter: none

Defense Evasion
Discovery
Persistence
  • Bazar Loader

    Description

    Detected loader normally used to deploy BazarBackdoor malware.

  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Process spawned unexpected child process
    cmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process16721068cmd.exeEXCEL.EXE
  • Bazar/Team9 Loader payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/792-19-0x0000000001BA0000-0x0000000001BC3000-memory.dmpBazarLoaderVar1
    behavioral1/memory/792-18-0x0000000000430000-0x0000000000455000-memory.dmpBazarLoaderVar1
    behavioral1/memory/792-20-0x00000000001E0000-0x0000000000202000-memory.dmpBazarLoaderVar1
    behavioral1/memory/1384-27-0x0000000001D40000-0x0000000001D63000-memory.dmpBazarLoaderVar1
    behavioral1/memory/2032-37-0x0000000000350000-0x0000000000373000-memory.dmpBazarLoaderVar1
  • Nloader Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/744-14-0x0000000000150000-0x0000000000155000-memory.dmpnloader
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    3744rundll32.exe
    4744rundll32.exe
  • Executes dropped EXE
    tkqyg.exetkqyg.exeCPPB25E.exeCPPB25E.exe

    Reported IOCs

    pidprocess
    792tkqyg.exe
    1384tkqyg.exe
    2032CPPB25E.exe
    1172CPPB25E.exe
  • Loads dropped DLL
    rundll32.execmd.execmd.exe

    Reported IOCs

    pidprocess
    744rundll32.exe
    744rundll32.exe
    524cmd.exe
    940cmd.exe
  • Adds Run key to start application
    CPPB25E.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MK90GJVY4Y = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v WYILGH4LL /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CPPB25E.exe O3PAB\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\CPPB25E.exe O3PAB"CPPB25E.exe
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessorEXCEL.EXE
  • Modifies Internet Explorer settings
    EXCEL.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"EXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\ToolbarEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExtEXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNoteEXCEL.EXE
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"EXCEL.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"EXCEL.EXE
    Key created\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft ExcelEXCEL.EXE
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    744PING.EXE
    552PING.EXE
    1328PING.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1068EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    tkqyg.exe

    Reported IOCs

    pidprocess
    792tkqyg.exe
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    1068EXCEL.EXE
    1068EXCEL.EXE
    1068EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exerundll32.exetkqyg.execmd.exetkqyg.execmd.exeCPPB25E.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1068 wrote to memory of 16721068EXCEL.EXEcmd.exe
    PID 1068 wrote to memory of 16721068EXCEL.EXEcmd.exe
    PID 1068 wrote to memory of 16721068EXCEL.EXEcmd.exe
    PID 1068 wrote to memory of 16721068EXCEL.EXEcmd.exe
    PID 1672 wrote to memory of 14961672cmd.execertutil.exe
    PID 1672 wrote to memory of 14961672cmd.execertutil.exe
    PID 1672 wrote to memory of 14961672cmd.execertutil.exe
    PID 1672 wrote to memory of 14961672cmd.execertutil.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 1672 wrote to memory of 7441672cmd.exerundll32.exe
    PID 744 wrote to memory of 792744rundll32.exetkqyg.exe
    PID 744 wrote to memory of 792744rundll32.exetkqyg.exe
    PID 744 wrote to memory of 792744rundll32.exetkqyg.exe
    PID 744 wrote to memory of 792744rundll32.exetkqyg.exe
    PID 792 wrote to memory of 944792tkqyg.execmd.exe
    PID 792 wrote to memory of 944792tkqyg.execmd.exe
    PID 792 wrote to memory of 944792tkqyg.execmd.exe
    PID 944 wrote to memory of 552944cmd.exePING.EXE
    PID 944 wrote to memory of 552944cmd.exePING.EXE
    PID 944 wrote to memory of 552944cmd.exePING.EXE
    PID 944 wrote to memory of 1384944cmd.exetkqyg.exe
    PID 944 wrote to memory of 1384944cmd.exetkqyg.exe
    PID 944 wrote to memory of 1384944cmd.exetkqyg.exe
    PID 1384 wrote to memory of 5241384tkqyg.execmd.exe
    PID 1384 wrote to memory of 5241384tkqyg.execmd.exe
    PID 1384 wrote to memory of 5241384tkqyg.execmd.exe
    PID 524 wrote to memory of 1328524cmd.exePING.EXE
    PID 524 wrote to memory of 1328524cmd.exePING.EXE
    PID 524 wrote to memory of 1328524cmd.exePING.EXE
    PID 524 wrote to memory of 2032524cmd.exeCPPB25E.exe
    PID 524 wrote to memory of 2032524cmd.exeCPPB25E.exe
    PID 524 wrote to memory of 2032524cmd.exeCPPB25E.exe
    PID 2032 wrote to memory of 9402032CPPB25E.execmd.exe
    PID 2032 wrote to memory of 9402032CPPB25E.execmd.exe
    PID 2032 wrote to memory of 9402032CPPB25E.execmd.exe
    PID 940 wrote to memory of 744940cmd.exePING.EXE
    PID 940 wrote to memory of 744940cmd.exePING.EXE
    PID 940 wrote to memory of 744940cmd.exePING.EXE
    PID 940 wrote to memory of 1172940cmd.exeCPPB25E.exe
    PID 940 wrote to memory of 1172940cmd.exeCPPB25E.exe
    PID 940 wrote to memory of 1172940cmd.exeCPPB25E.exe
Processes 14
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617291613.xlsb
    Enumerates system info in registry
    Modifies Internet Explorer settings
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\569390.pdi %PUBLIC%\569390.ui && rundll32 %PUBLIC%\569390.ui,DF1
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode C:\Users\Public\569390.pdi C:\Users\Public\569390.ui
        PID:1496
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 C:\Users\Public\569390.ui,DF1
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        PID:744
        • C:\ProgramData\tkqyg\tkqyg.exe
          "C:\ProgramData\tkqyg\tkqyg.exe"
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:792
          • C:\Windows\system32\cmd.exe
            cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\tkqyg\tkqyg.exe QB2KET
            Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\system32\PING.EXE
              ping 8.8.7.7 -n 2
              Runs ping.exe
              PID:552
            • C:\ProgramData\tkqyg\tkqyg.exe
              C:\ProgramData\tkqyg\tkqyg.exe QB2KET
              Executes dropped EXE
              Suspicious use of WriteProcessMemory
              PID:1384
              • C:\Windows\system32\cmd.exe
                cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe MEW1DLD
                Loads dropped DLL
                Suspicious use of WriteProcessMemory
                PID:524
                • C:\Windows\system32\PING.EXE
                  ping 8.8.7.7 -n 2
                  Runs ping.exe
                  PID:1328
                • C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
                  C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe MEW1DLD
                  Executes dropped EXE
                  Adds Run key to start application
                  Suspicious use of WriteProcessMemory
                  PID:2032
                  • C:\Windows\system32\cmd.exe
                    cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\cPPB25E.exe O3PAB
                    Loads dropped DLL
                    Suspicious use of WriteProcessMemory
                    PID:940
                    • C:\Windows\system32\PING.EXE
                      ping 8.8.7.7 -n 2
                      Runs ping.exe
                      PID:744
                    • C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe
                      C:\Users\Admin\AppData\Local\Temp\cPPB25E.exe O3PAB
                      Executes dropped EXE
                      PID:1172
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Local\Temp\CPPB25E.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

                      MD5

                      9d96c6e1a217708aa7a2e8466fa9a3ad

                      SHA1

                      1b501be99ec067c24bf1453b80ba43c3be74129d

                      SHA256

                      9a2d013b1362250440641e7d7fe10bcefe1ce170ff6b8b2847756a15e139836b

                      SHA512

                      82a8d4aa8f85e5340898cad16be3f6ca87cb0299488f88eb0707fbb4cc5e5b5188389408ca0c7507258a6f79f206f81276a50e97ccb7773f088a7bbdaa6dc52a

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

                      MD5

                      11f2c51d9e159cc23771640061d60f88

                      SHA1

                      c929a5c7ad079290f545fce346bcc73f5079ea94

                      SHA256

                      f9d29df85cdadebc35ca53c6be476931b9380892a646c1ae912bf032bf519c8f

                      SHA512

                      eb3fef822c982504052cf0c710d09e107d1621b40852df20726af17b426a7a3a5906aea328193ec020a62de490ac2505592f05f7b0aa0a02cdc56ad6a06044fd

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

                      MD5

                      343dc36a00dc66f25224b9956963cc95

                      SHA1

                      0c2740b2b4c16f258bb08095925ec0fc67bc9fd6

                      SHA256

                      40734428dd1c172d31a68666d769c77fb18cc77d16fef37d4f67776facce13ed

                      SHA512

                      d6e295f6ba7ab6501b93f26ef6607cf0976c6d06524756b1850d1308adcd134fa97afda1e0bb37d24f4ea01de9a6bb8362c6b3f3ab580f1b0e90cfc998e518ea

                    • C:\Users\Public\569390.pdi

                      MD5

                      5cc5f895b91ab4c1835ac9b83e86663b

                      SHA1

                      b51565a65b167172b71516435f4118ec9a278673

                      SHA256

                      81a75221faf7f28e2b2ce76471499d72b94da9ae48e0e1dc5bf01060e9195065

                      SHA512

                      3a4289acdc392d999f4edde46c4261956b9be0aba355dc730a7bee08b9b00dff8733f84c97365aa773fad8bde29aa8dc040aac3067e7af3e7f75049c897e08f0

                    • C:\Users\Public\569390.ui

                      MD5

                      f4dc5b1151ed77bfcfae8b73147d93c2

                      SHA1

                      e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

                      SHA256

                      71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

                      SHA512

                      077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

                    • \ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • \Users\Admin\AppData\Local\Temp\CPPB25E.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • \Users\Admin\AppData\Local\Temp\CPPB25E.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • \Users\Public\569390.ui

                      MD5

                      f4dc5b1151ed77bfcfae8b73147d93c2

                      SHA1

                      e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

                      SHA256

                      71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

                      SHA512

                      077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

                    • memory/524-30-0x0000000000000000-mapping.dmp

                    • memory/552-22-0x0000000000000000-mapping.dmp

                    • memory/744-14-0x0000000000150000-0x0000000000155000-memory.dmp

                    • memory/744-10-0x0000000000000000-mapping.dmp

                    • memory/744-40-0x0000000000000000-mapping.dmp

                    • memory/792-20-0x00000000001E0000-0x0000000000202000-memory.dmp

                    • memory/792-16-0x0000000000000000-mapping.dmp

                    • memory/792-18-0x0000000000430000-0x0000000000455000-memory.dmp

                    • memory/792-19-0x0000000001BA0000-0x0000000001BC3000-memory.dmp

                    • memory/940-39-0x0000000000000000-mapping.dmp

                    • memory/944-21-0x0000000000000000-mapping.dmp

                    • memory/1068-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

                    • memory/1068-3-0x0000000071681000-0x0000000071683000-memory.dmp

                    • memory/1068-2-0x000000002FF01000-0x000000002FF04000-memory.dmp

                    • memory/1172-42-0x0000000000000000-mapping.dmp

                    • memory/1328-31-0x0000000000000000-mapping.dmp

                    • memory/1384-27-0x0000000001D40000-0x0000000001D63000-memory.dmp

                    • memory/1384-23-0x0000000000000000-mapping.dmp

                    • memory/1496-7-0x0000000000000000-mapping.dmp

                    • memory/1496-8-0x00000000756C1000-0x00000000756C3000-memory.dmp

                    • memory/1672-6-0x0000000000000000-mapping.dmp

                    • memory/1728-5-0x000007FEF6500000-0x000007FEF677A000-memory.dmp

                    • memory/2032-33-0x0000000000000000-mapping.dmp

                    • memory/2032-37-0x0000000000350000-0x0000000000373000-memory.dmp