Analysis
-
max time kernel
126s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
03-05-2021 17:05
Behavioral task
behavioral1
Sample
88da57ba_by_Libranalysis.xls
Resource
win7v20210410
Behavioral task
behavioral2
Sample
88da57ba_by_Libranalysis.xls
Resource
win10v20210408
General
-
Target
88da57ba_by_Libranalysis.xls
-
Size
293KB
-
MD5
88da57baad066838d62daa0d17658eb0
-
SHA1
c9d47b8cf3debfe3f714c6eb497829a8ad2bd1fc
-
SHA256
f82a3b15901da167017395e4158995302d01abbb9b7f259465eca8f66f42fb5c
-
SHA512
561401ec068bea4d1907ca81f66fceeb21d93fbca3e1fc1fafd6c68bc7df465dbaf988e4bbd8f38a54dceade57f12428b9ec20c5e5a43c45e4a1c662dc4919d0
Malware Config
Signatures
-
BazarBackdoor 5 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 38 https://54.163.9.216/93b49dcd323cbe830a106929358e2763/4 HTTP URL 39 https://54.163.9.216/93b49dcd323cbe830a106929358e2763/4 HTTP URL 40 https://54.163.9.216/93b49dcd323cbe830a106929358e2763/4 HTTP URL 41 https://54.163.9.216/93b49dcd323cbe830a106929358e2763/2 HTTP URL 42 https://54.163.9.216/93b49dcd323cbe830a106929358e2763/3 -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1344 1032 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.execmd.exeflow pid process 33 3008 rundll32.exe 36 3008 rundll32.exe 37 3008 rundll32.exe 38 3964 cmd.exe 39 3964 cmd.exe 40 3964 cmd.exe 41 3964 cmd.exe 42 3964 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3008 rundll32.exe 3868 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3008 set thread context of 3964 3008 rundll32.exe cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1032 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE 1032 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 1032 wrote to memory of 1344 1032 EXCEL.EXE rundll32.exe PID 1032 wrote to memory of 1344 1032 EXCEL.EXE rundll32.exe PID 1344 wrote to memory of 3008 1344 rundll32.exe rundll32.exe PID 1344 wrote to memory of 3008 1344 rundll32.exe rundll32.exe PID 1344 wrote to memory of 3008 1344 rundll32.exe rundll32.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe PID 3008 wrote to memory of 3964 3008 rundll32.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88da57ba_by_Libranalysis.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\bsdnbsej.dbw,PluginInit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\bsdnbsej.dbw,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\bsdnbsej.dbw,PluginInit 14205781161⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\bsdnbsej.dbwMD5
b80f4b91c29963df1cfd0d0a8a30e5c6
SHA109c6ae06e0c10672d91f6850118f41dc3dd66e72
SHA2560a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9
SHA512bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c
-
\Users\Admin\bsdnbsej.dbwMD5
b80f4b91c29963df1cfd0d0a8a30e5c6
SHA109c6ae06e0c10672d91f6850118f41dc3dd66e72
SHA2560a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9
SHA512bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c
-
\Users\Admin\bsdnbsej.dbwMD5
b80f4b91c29963df1cfd0d0a8a30e5c6
SHA109c6ae06e0c10672d91f6850118f41dc3dd66e72
SHA2560a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9
SHA512bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c
-
memory/1032-115-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmpFilesize
64KB
-
memory/1032-116-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmpFilesize
64KB
-
memory/1032-117-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmpFilesize
64KB
-
memory/1032-118-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmpFilesize
64KB
-
memory/1032-121-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmpFilesize
64KB
-
memory/1032-122-0x00007FFC5BD40000-0x00007FFC5CE2E000-memory.dmpFilesize
16.9MB
-
memory/1032-123-0x00007FFC59E40000-0x00007FFC5BD35000-memory.dmpFilesize
31.0MB
-
memory/1032-114-0x00007FF6EC960000-0x00007FF6EFF16000-memory.dmpFilesize
53.7MB
-
memory/1344-179-0x0000000000000000-mapping.dmp
-
memory/3008-183-0x0000000002470000-0x0000000002471000-memory.dmpFilesize
4KB
-
memory/3008-181-0x0000000000000000-mapping.dmp
-
memory/3868-187-0x00000000028E0000-0x00000000028E1000-memory.dmpFilesize
4KB
-
memory/3964-185-0x00000000010CBB2D-mapping.dmp
-
memory/3964-186-0x00000000010B0000-0x00000000010EF000-memory.dmpFilesize
252KB