Analysis
-
max time kernel
113s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 16:18
Behavioral task
behavioral1
Sample
Documents_1462169789_1838254150.xls
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Documents_1462169789_1838254150.xls
Resource
win10v20210410
General
-
Target
Documents_1462169789_1838254150.xls
-
Size
293KB
-
MD5
88da57baad066838d62daa0d17658eb0
-
SHA1
c9d47b8cf3debfe3f714c6eb497829a8ad2bd1fc
-
SHA256
f82a3b15901da167017395e4158995302d01abbb9b7f259465eca8f66f42fb5c
-
SHA512
561401ec068bea4d1907ca81f66fceeb21d93fbca3e1fc1fafd6c68bc7df465dbaf988e4bbd8f38a54dceade57f12428b9ec20c5e5a43c45e4a1c662dc4919d0
Malware Config
Signatures
-
BazarBackdoor 5 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 46 https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/4 HTTP URL 47 https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/4 HTTP URL 48 https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/4 HTTP URL 49 https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/2 HTTP URL 50 https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/3 -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1252 3872 rundll32.exe EXCEL.EXE -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.execmd.exeflow pid process 39 1232 rundll32.exe 41 1232 rundll32.exe 44 1232 rundll32.exe 46 3848 cmd.exe 47 3848 cmd.exe 48 3848 cmd.exe 49 3848 cmd.exe 50 3848 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1232 rundll32.exe 3180 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1232 set thread context of 3848 1232 rundll32.exe cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 3872 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
EXCEL.EXEpid process 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE 3872 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXErundll32.exerundll32.exedescription pid process target process PID 3872 wrote to memory of 1252 3872 EXCEL.EXE rundll32.exe PID 3872 wrote to memory of 1252 3872 EXCEL.EXE rundll32.exe PID 1252 wrote to memory of 1232 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1232 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1232 1252 rundll32.exe rundll32.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe PID 1232 wrote to memory of 3848 1232 rundll32.exe cmd.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents_1462169789_1838254150.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\rundll32.exerundll32 ..\bsdnbsej.dbw,PluginInit2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32 ..\bsdnbsej.dbw,PluginInit3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe4⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\bsdnbsej.dbw,PluginInit 20121812651⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\bsdnbsej.dbwMD5
b80f4b91c29963df1cfd0d0a8a30e5c6
SHA109c6ae06e0c10672d91f6850118f41dc3dd66e72
SHA2560a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9
SHA512bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c
-
\Users\Admin\bsdnbsej.dbwMD5
b80f4b91c29963df1cfd0d0a8a30e5c6
SHA109c6ae06e0c10672d91f6850118f41dc3dd66e72
SHA2560a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9
SHA512bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c
-
\Users\Admin\bsdnbsej.dbwMD5
b80f4b91c29963df1cfd0d0a8a30e5c6
SHA109c6ae06e0c10672d91f6850118f41dc3dd66e72
SHA2560a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9
SHA512bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c
-
memory/1232-183-0x0000000000E80000-0x0000000000E81000-memory.dmpFilesize
4KB
-
memory/1232-181-0x0000000000000000-mapping.dmp
-
memory/1252-179-0x0000000000000000-mapping.dmp
-
memory/3180-185-0x0000000000540000-0x000000000068A000-memory.dmpFilesize
1.3MB
-
memory/3848-186-0x00000000012ABB2D-mapping.dmp
-
memory/3848-187-0x0000000001290000-0x00000000012CF000-memory.dmpFilesize
252KB
-
memory/3872-122-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3872-123-0x000001AC17090000-0x000001AC18F85000-memory.dmpFilesize
31.0MB
-
memory/3872-114-0x00007FF6B47E0000-0x00007FF6B7D96000-memory.dmpFilesize
53.7MB
-
memory/3872-121-0x00007FF8E9260000-0x00007FF8EA34E000-memory.dmpFilesize
16.9MB
-
memory/3872-118-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3872-117-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3872-116-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB
-
memory/3872-115-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmpFilesize
64KB