bazarloader | b48cccd1b5e13f4a531366737c742ebe4c0f9921da9170313f29591a824801b4

Analysis

max time kernel
136s
max time network
134s
platform
windows10_x64
resource
win10v20201028
submitted
01-04-2021 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

subscription_1617291613.xlsb

Score

10^/10

bazarloader nloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	808	4772	cmd.exe	EXCEL.EXE

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-19-0x0000000001FB0000-0x0000000001FD3000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4544-18-0x0000000001F80000-0x0000000001FA5000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4544-20-0x00000000001B0000-0x00000000001D2000-memory.dmp	BazarLoaderVar1
behavioral2/memory/2396-27-0x0000000000440000-0x0000000000463000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3644-36-0x0000000000530000-0x0000000000553000-memory.dmp	BazarLoaderVar1
behavioral2/memory/204-44-0x0000000001FE0000-0x0000000002003000-memory.dmp	BazarLoaderVar1

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1728-14-0x0000000002600000-0x0000000002605000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

20 1728 rundll32.exe
26 1728 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

tkqyg.exetkqyg.exeRKCDF74.exeRKCDF74.exe

pid process

4544 tkqyg.exe
2396 tkqyg.exe
3644 RKCDF74.exe
204 RKCDF74.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1728 rundll32.exe

flow	pid	process
20	1728	rundll32.exe
26	1728	rundll32.exe

pid	process
4544	tkqyg.exe
2396	tkqyg.exe
3644	RKCDF74.exe
204	RKCDF74.exe

pid	process
1728	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RKCDF74.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RKCDF74.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\D51AM76CR = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v B5CUQFXB6P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RKCDF74.exe JU0NGE\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\RKCDF74.exe JU0NGE"	RKCDF74.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4712 PING.EXE
4556 PING.EXE
2980 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4772 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tkqyg.exe

pid process

4544 tkqyg.exe
4544 tkqyg.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid process

4772 EXCEL.EXE
4772 EXCEL.EXE

pid	process
4712	PING.EXE
4556	PING.EXE
2980	PING.EXE

pid	process
4544	tkqyg.exe
4544	tkqyg.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE
4772	EXCEL.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exetkqyg.execmd.exetkqyg.execmd.exeRKCDF74.execmd.exe

description	pid	process	target process
PID 4772 wrote to memory of 808	4772	EXCEL.EXE	cmd.exe
PID 4772 wrote to memory of 808	4772	EXCEL.EXE	cmd.exe
PID 808 wrote to memory of 1112	808	cmd.exe	certutil.exe
PID 808 wrote to memory of 1112	808	cmd.exe	certutil.exe
PID 808 wrote to memory of 1592	808	cmd.exe	rundll32.exe
PID 808 wrote to memory of 1592	808	cmd.exe	rundll32.exe
PID 1592 wrote to memory of 1728	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1728	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 1728	1592	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 4544	1728	rundll32.exe	tkqyg.exe
PID 1728 wrote to memory of 4544	1728	rundll32.exe	tkqyg.exe
PID 4544 wrote to memory of 4596	4544	tkqyg.exe	cmd.exe
PID 4544 wrote to memory of 4596	4544	tkqyg.exe	cmd.exe
PID 4596 wrote to memory of 4556	4596	cmd.exe	PING.EXE
PID 4596 wrote to memory of 4556	4596	cmd.exe	PING.EXE
PID 4596 wrote to memory of 2396	4596	cmd.exe	tkqyg.exe
PID 4596 wrote to memory of 2396	4596	cmd.exe	tkqyg.exe
PID 2396 wrote to memory of 2424	2396	tkqyg.exe	cmd.exe
PID 2396 wrote to memory of 2424	2396	tkqyg.exe	cmd.exe
PID 2424 wrote to memory of 2980	2424	cmd.exe	PING.EXE
PID 2424 wrote to memory of 2980	2424	cmd.exe	PING.EXE
PID 2424 wrote to memory of 3644	2424	cmd.exe	RKCDF74.exe
PID 2424 wrote to memory of 3644	2424	cmd.exe	RKCDF74.exe
PID 3644 wrote to memory of 4732	3644	RKCDF74.exe	cmd.exe
PID 3644 wrote to memory of 4732	3644	RKCDF74.exe	cmd.exe
PID 4732 wrote to memory of 4712	4732	cmd.exe	PING.EXE
PID 4732 wrote to memory of 4712	4732	cmd.exe	PING.EXE
PID 4732 wrote to memory of 204	4732	cmd.exe	RKCDF74.exe
PID 4732 wrote to memory of 204	4732	cmd.exe	RKCDF74.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617291613.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\569390.pdi %PUBLIC%\569390.ui && rundll32 %PUBLIC%\569390.ui,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:808

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\569390.pdi C:\Users\Public\569390.ui
3⤵
PID:1112

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Public\569390.ui,DF1
3⤵
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\569390.ui,DF1
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728

C:\ProgramData\tkqyg\tkqyg.exe
"C:\ProgramData\tkqyg\tkqyg.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\tkqyg\tkqyg.exe DZOF6
6⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
7⤵
- Runs ping.exe
PID:4556

C:\ProgramData\tkqyg\tkqyg.exe
C:\ProgramData\tkqyg\tkqyg.exe DZOF6
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe DO32
8⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
9⤵
- Runs ping.exe
PID:2980

C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe DO32
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\rKCDF74.exe JU0NGE
10⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
11⤵
- Runs ping.exe
PID:4712

C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
C:\Users\Admin\AppData\Local\Temp\rKCDF74.exe JU0NGE
11⤵
- Executes dropped EXE
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\ProgramData\tkqyg\tkqyg.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKCDF74.exe
MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
4c76f38fce14a5ef11b781134fa1e0bb

SHA1
b7faaec2192b0e49629bd42d5289b1df811ea78d

SHA256
0c78cb484c57152d3e5ad1d19f97138f4383ad1419ed3fbc2d7f86cb4056348a

SHA512
4e45322f0b45245dc662ef5c4b6cbacedc7610e8e70b332dd976cb5451109d65b141aaea823bf0706fde7bf32f05693deb587f03e7df32c4030ea55928426f85

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
f4005619ea48345dff3dda9d3de8d1a5

SHA1
da9eb8d50a10cf979f1c9bb78a0c288863a656b6

SHA256
464b2f47575bf6e0cc169b5b4ccca28d25418201adcc5bb6605612c198c140c9

SHA512
e19ca29f0b8d70773d8de2a7aaef8c56b4c8ee55b572bb286c66481b0f6e2ef9b529b490c46a690e6d0c300556ebc9fe4a7586d6ec05e446de2b94486716050f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff
MD5
14c1ccd7ab70950c171465996f57860d

SHA1
84250bab77501ee2d39f4d964ada25023c305c97

SHA256
ecb9966e2f4ece0aa99fb8cca16c67597079b6a5312fc80a324b98b365f2bd2b

SHA512
d058c18836727a5dee28503ce7949ed3919f9377678e92d241607a7e58f181f98a35ae4ed8c811efd308dcd74d73bb6061bce81abc72e3009b72279d29002561

Download Submit
C:\Users\Public\569390.pdi
MD5
5cc5f895b91ab4c1835ac9b83e86663b

SHA1
b51565a65b167172b71516435f4118ec9a278673

SHA256
81a75221faf7f28e2b2ce76471499d72b94da9ae48e0e1dc5bf01060e9195065

SHA512
3a4289acdc392d999f4edde46c4261956b9be0aba355dc730a7bee08b9b00dff8733f84c97365aa773fad8bde29aa8dc040aac3067e7af3e7f75049c897e08f0

Download Submit
C:\Users\Public\569390.ui
MD5
f4dc5b1151ed77bfcfae8b73147d93c2

SHA1
e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

SHA256
71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

SHA512
077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

Download Submit
\Users\Public\569390.ui
MD5
f4dc5b1151ed77bfcfae8b73147d93c2

SHA1
e53166ca0f09ad46795cd8f5a1c9a4a2d5b21415

SHA256
71cd6cb93fcf508761b72fac05bc96a07697718eb928c72fc7731dab457b3606

SHA512
077b54dc49c0596ead6b5f754c77deecbda5d7dfee34c21b3d5faab727c8a83804c7da4652597905f5428ab52f2cd10eabbbaae12e30d3a5ccebba0b4ce479eb

Download Submit
memory/204-40-0x0000000000000000-mapping.dmp

Download
memory/204-44-0x0000000001FE0000-0x0000000002003000-memory.dmp

Filesize
140KB

Download
memory/808-7-0x0000000000000000-mapping.dmp

Download
memory/1112-8-0x0000000000000000-mapping.dmp

Download
memory/1592-10-0x0000000000000000-mapping.dmp

Download
memory/1728-14-0x0000000002600000-0x0000000002605000-memory.dmp

Filesize
20KB

Download
memory/1728-12-0x0000000000000000-mapping.dmp

Download
memory/2396-27-0x0000000000440000-0x0000000000463000-memory.dmp

Filesize
140KB

Download
memory/2396-23-0x0000000000000000-mapping.dmp

Download
memory/2424-29-0x0000000000000000-mapping.dmp

Download
memory/2980-30-0x0000000000000000-mapping.dmp

Download
memory/3644-31-0x0000000000000000-mapping.dmp

Download
memory/3644-36-0x0000000000530000-0x0000000000553000-memory.dmp

Filesize
140KB

Download
memory/4544-20-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/4544-18-0x0000000001F80000-0x0000000001FA5000-memory.dmp

Filesize
148KB

Download
memory/4544-19-0x0000000001FB0000-0x0000000001FD3000-memory.dmp

Filesize
140KB

Download
memory/4544-15-0x0000000000000000-mapping.dmp

Download
memory/4556-22-0x0000000000000000-mapping.dmp

Download
memory/4596-21-0x0000000000000000-mapping.dmp

Download
memory/4712-39-0x0000000000000000-mapping.dmp

Download
memory/4732-38-0x0000000000000000-mapping.dmp

Download
memory/4772-2-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

Filesize
64KB

Download
memory/4772-6-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

Filesize
64KB

Download
memory/4772-5-0x00007FFF46210000-0x00007FFF46847000-memory.dmp

Filesize
6.2MB

Download
memory/4772-4-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

Filesize
64KB

Download
memory/4772-3-0x00007FFF21F30000-0x00007FFF21F40000-memory.dmp

Filesize
64KB

Download