subscription_1617291613.xlsb.zip

General
Target

subscription_1617291613.xlsb

Filesize

207KB

Completed

01-04-2021 18:56

Score
10 /10
Malware Config
Signatures 17

Filter: none

Defense Evasion
Discovery
Persistence
  • Bazar Loader

    Description

    Detected loader normally used to deploy BazarBackdoor malware.

  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

  • Process spawned unexpected child process
    cmd.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process8084772cmd.exeEXCEL.EXE
  • Bazar/Team9 Loader payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4544-19-0x0000000001FB0000-0x0000000001FD3000-memory.dmpBazarLoaderVar1
    behavioral2/memory/4544-18-0x0000000001F80000-0x0000000001FA5000-memory.dmpBazarLoaderVar1
    behavioral2/memory/4544-20-0x00000000001B0000-0x00000000001D2000-memory.dmpBazarLoaderVar1
    behavioral2/memory/2396-27-0x0000000000440000-0x0000000000463000-memory.dmpBazarLoaderVar1
    behavioral2/memory/3644-36-0x0000000000530000-0x0000000000553000-memory.dmpBazarLoaderVar1
    behavioral2/memory/204-44-0x0000000001FE0000-0x0000000002003000-memory.dmpBazarLoaderVar1
  • Nloader Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1728-14-0x0000000002600000-0x0000000002605000-memory.dmpnloader
  • Blocklisted process makes network request
    rundll32.exe

    Reported IOCs

    flowpidprocess
    201728rundll32.exe
    261728rundll32.exe
  • Executes dropped EXE
    tkqyg.exetkqyg.exeRKCDF74.exeRKCDF74.exe

    Reported IOCs

    pidprocess
    4544tkqyg.exe
    2396tkqyg.exe
    3644RKCDF74.exe
    204RKCDF74.exe
  • Loads dropped DLL
    rundll32.exe

    Reported IOCs

    pidprocess
    1728rundll32.exe
  • Adds Run key to start application
    RKCDF74.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnceRKCDF74.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\D51AM76CR = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v B5CUQFXB6P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RKCDF74.exe JU0NGE\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\RKCDF74.exe JU0NGE"RKCDF74.exe
  • Checks processor information in registry
    EXCEL.EXE

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0EXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHzEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringEXCEL.EXE
  • Enumerates system info in registry
    EXCEL.EXE

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\Hardware\Description\System\BIOSEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamilyEXCEL.EXE
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUEXCEL.EXE
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    4712PING.EXE
    4556PING.EXE
    2980PING.EXE
  • Suspicious behavior: AddClipboardFormatListener
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4772EXCEL.EXE
  • Suspicious behavior: EnumeratesProcesses
    tkqyg.exe

    Reported IOCs

    pidprocess
    4544tkqyg.exe
    4544tkqyg.exe
  • Suspicious use of FindShellTrayWindow
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4772EXCEL.EXE
    4772EXCEL.EXE
  • Suspicious use of SetWindowsHookEx
    EXCEL.EXE

    Reported IOCs

    pidprocess
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
    4772EXCEL.EXE
  • Suspicious use of WriteProcessMemory
    EXCEL.EXEcmd.exerundll32.exerundll32.exetkqyg.execmd.exetkqyg.execmd.exeRKCDF74.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4772 wrote to memory of 8084772EXCEL.EXEcmd.exe
    PID 4772 wrote to memory of 8084772EXCEL.EXEcmd.exe
    PID 808 wrote to memory of 1112808cmd.execertutil.exe
    PID 808 wrote to memory of 1112808cmd.execertutil.exe
    PID 808 wrote to memory of 1592808cmd.exerundll32.exe
    PID 808 wrote to memory of 1592808cmd.exerundll32.exe
    PID 1592 wrote to memory of 17281592rundll32.exerundll32.exe
    PID 1592 wrote to memory of 17281592rundll32.exerundll32.exe
    PID 1592 wrote to memory of 17281592rundll32.exerundll32.exe
    PID 1728 wrote to memory of 45441728rundll32.exetkqyg.exe
    PID 1728 wrote to memory of 45441728rundll32.exetkqyg.exe
    PID 4544 wrote to memory of 45964544tkqyg.execmd.exe
    PID 4544 wrote to memory of 45964544tkqyg.execmd.exe
    PID 4596 wrote to memory of 45564596cmd.exePING.EXE
    PID 4596 wrote to memory of 45564596cmd.exePING.EXE
    PID 4596 wrote to memory of 23964596cmd.exetkqyg.exe
    PID 4596 wrote to memory of 23964596cmd.exetkqyg.exe
    PID 2396 wrote to memory of 24242396tkqyg.execmd.exe
    PID 2396 wrote to memory of 24242396tkqyg.execmd.exe
    PID 2424 wrote to memory of 29802424cmd.exePING.EXE
    PID 2424 wrote to memory of 29802424cmd.exePING.EXE
    PID 2424 wrote to memory of 36442424cmd.exeRKCDF74.exe
    PID 2424 wrote to memory of 36442424cmd.exeRKCDF74.exe
    PID 3644 wrote to memory of 47323644RKCDF74.execmd.exe
    PID 3644 wrote to memory of 47323644RKCDF74.execmd.exe
    PID 4732 wrote to memory of 47124732cmd.exePING.EXE
    PID 4732 wrote to memory of 47124732cmd.exePING.EXE
    PID 4732 wrote to memory of 2044732cmd.exeRKCDF74.exe
    PID 4732 wrote to memory of 2044732cmd.exeRKCDF74.exe
Processes 15
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617291613.xlsb"
    Checks processor information in registry
    Enumerates system info in registry
    Suspicious behavior: AddClipboardFormatListener
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c certutil -decode %PUBLIC%\569390.pdi %PUBLIC%\569390.ui && rundll32 %PUBLIC%\569390.ui,DF1
      Process spawned unexpected child process
      Suspicious use of WriteProcessMemory
      PID:808
      • C:\Windows\system32\certutil.exe
        certutil -decode C:\Users\Public\569390.pdi C:\Users\Public\569390.ui
        PID:1112
      • C:\Windows\system32\rundll32.exe
        rundll32 C:\Users\Public\569390.ui,DF1
        Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 C:\Users\Public\569390.ui,DF1
          Blocklisted process makes network request
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:1728
          • C:\ProgramData\tkqyg\tkqyg.exe
            "C:\ProgramData\tkqyg\tkqyg.exe"
            Executes dropped EXE
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:4544
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\tkqyg\tkqyg.exe DZOF6
              Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Windows\system32\PING.EXE
                ping 8.8.7.7 -n 2
                Runs ping.exe
                PID:4556
              • C:\ProgramData\tkqyg\tkqyg.exe
                C:\ProgramData\tkqyg\tkqyg.exe DZOF6
                Executes dropped EXE
                Suspicious use of WriteProcessMemory
                PID:2396
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe DO32
                  Suspicious use of WriteProcessMemory
                  PID:2424
                  • C:\Windows\system32\PING.EXE
                    ping 8.8.7.7 -n 2
                    Runs ping.exe
                    PID:2980
                  • C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
                    C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe DO32
                    Executes dropped EXE
                    Adds Run key to start application
                    Suspicious use of WriteProcessMemory
                    PID:3644
                    • C:\Windows\SYSTEM32\cmd.exe
                      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\rKCDF74.exe JU0NGE
                      Suspicious use of WriteProcessMemory
                      PID:4732
                      • C:\Windows\system32\PING.EXE
                        ping 8.8.7.7 -n 2
                        Runs ping.exe
                        PID:4712
                      • C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
                        C:\Users\Admin\AppData\Local\Temp\rKCDF74.exe JU0NGE
                        Executes dropped EXE
                        PID:204
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\ProgramData\tkqyg\tkqyg.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe

                      MD5

                      81e6dcf2510ffc2400743e912448013f

                      SHA1

                      b1b29fff6348b805851513ce8812990a2f5a4e39

                      SHA256

                      258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

                      SHA512

                      f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

                      MD5

                      4c76f38fce14a5ef11b781134fa1e0bb

                      SHA1

                      b7faaec2192b0e49629bd42d5289b1df811ea78d

                      SHA256

                      0c78cb484c57152d3e5ad1d19f97138f4383ad1419ed3fbc2d7f86cb4056348a

                      SHA512

                      4e45322f0b45245dc662ef5c4b6cbacedc7610e8e70b332dd976cb5451109d65b141aaea823bf0706fde7bf32f05693deb587f03e7df32c4030ea55928426f85

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

                      MD5

                      f4005619ea48345dff3dda9d3de8d1a5

                      SHA1

                      da9eb8d50a10cf979f1c9bb78a0c288863a656b6

                      SHA256

                      464b2f47575bf6e0cc169b5b4ccca28d25418201adcc5bb6605612c198c140c9

                      SHA512

                      e19ca29f0b8d70773d8de2a7aaef8c56b4c8ee55b572bb286c66481b0f6e2ef9b529b490c46a690e6d0c300556ebc9fe4a7586d6ec05e446de2b94486716050f

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

                      MD5

                      14c1ccd7ab70950c171465996f57860d

                      SHA1

                      84250bab77501ee2d39f4d964ada25023c305c97

                      SHA256

                      ecb9966e2f4ece0aa99fb8cca16c67597079b6a5312fc80a324b98b365f2bd2b

                      SHA512

                      d058c18836727a5dee28503ce7949ed3919f9377678e92d241607a7e58f181f98a35ae4ed8c811efd308dcd74d73bb6061bce81abc72e3009b72279d29002561

                    • C:\Users\Public\569390.pdi

                      MD5

                      5cc5f895b91ab4c1835ac9b83e86663b

                      SHA1

                      b51565a65b167172b71516435f4118ec9a278673

                      SHA256

                      81a75221faf7f28e2b2ce76471499d72b94da9ae48e0e1dc5bf01060e9195065

                      SHA512

                      3a4289acdc392d999f4edde46c4261956b9be0aba355dc730a7bee08b9b00dff8733f84c97365aa773fad8bde29aa8dc040aac3067e7af3e7f75049c897e08f0

                    • C:\Users\Public\569390.ui

                      MD5

                      f4dc5b1151ed77bfcfae8b73147d93c2

                      SHA1

                      e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

                      SHA256

                      71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

                      SHA512

                      077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

                    • \Users\Public\569390.ui

                      MD5

                      f4dc5b1151ed77bfcfae8b73147d93c2

                      SHA1

                      e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

                      SHA256

                      71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

                      SHA512

                      077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

                    • memory/204-40-0x0000000000000000-mapping.dmp

                    • memory/204-44-0x0000000001FE0000-0x0000000002003000-memory.dmp

                    • memory/808-7-0x0000000000000000-mapping.dmp

                    • memory/1112-8-0x0000000000000000-mapping.dmp

                    • memory/1592-10-0x0000000000000000-mapping.dmp

                    • memory/1728-14-0x0000000002600000-0x0000000002605000-memory.dmp

                    • memory/1728-12-0x0000000000000000-mapping.dmp

                    • memory/2396-27-0x0000000000440000-0x0000000000463000-memory.dmp

                    • memory/2396-23-0x0000000000000000-mapping.dmp

                    • memory/2424-29-0x0000000000000000-mapping.dmp

                    • memory/2980-30-0x0000000000000000-mapping.dmp

                    • memory/3644-31-0x0000000000000000-mapping.dmp

                    • memory/3644-36-0x0000000000530000-0x0000000000553000-memory.dmp

                    • memory/4544-20-0x00000000001B0000-0x00000000001D2000-memory.dmp

                    • memory/4544-15-0x0000000000000000-mapping.dmp

                    • memory/4544-19-0x0000000001FB0000-0x0000000001FD3000-memory.dmp

                    • memory/4544-18-0x0000000001F80000-0x0000000001FA5000-memory.dmp

                    • memory/4556-22-0x0000000000000000-mapping.dmp

                    • memory/4596-21-0x0000000000000000-mapping.dmp

                    • memory/4712-39-0x0000000000000000-mapping.dmp

                    • memory/4732-38-0x0000000000000000-mapping.dmp

                    • memory/4772-6-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

                    • memory/4772-5-0x00007FFF46210000-0x00007FFF46847000-memory.dmp

                    • memory/4772-4-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

                    • memory/4772-3-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

                    • memory/4772-2-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp