Overview

overview

10

Static

static

8

require 01...21.doc

windows7_x64

10

require 01...21.doc

windows10_x64

10

Analysis

  • max time kernel
    301s
  • max time network
    346s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05-10-2021 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    require 010.04.2021.doc

  • Size

    75KB

  • MD5

    6969e17d53d20ffd5dfd76d4955e5cc9

  • SHA1

    da3b0bd9b89c264d0b6520658a1b0e9b851bd2d9

  • SHA256

    365c4a15a704d7a6244a34ef94bc2aa845ae8435ab4ff4bdac7da55e76f75cf6

  • SHA512

    8acb4fbce39b9c9b35e41d2efb4ff05641d9f14b3ec2a90163bbe3a7c33eca8fa7574b53aede7c55e19dd75ab623469b116157afc79ef80d6c1bf8892a212448

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\require 010.04.2021.doc"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\cleanEarthExcel.....hta"
      2⤵
      • Process spawned unexpected child process
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1788
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" c:\users\public\easyMicrosoftHop.jpg
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:688
        • C:\Windows\system32\regsvr32.exe
          c:\users\public\easyMicrosoftHop.jpg
          4⤵
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1856
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k UnistackSvcGroup
            5⤵
              PID:1280
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe c:\users\public\easyMicrosoftHop.jpg,DllRegisterServer {B9C50292-BEB8-4EA7-A449-675F9A8F4F68}
      1⤵
      • Loads dropped DLL
      PID:1992

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      MD5

      ab5c36d10261c173c5896f3478cdc6b7

      SHA1

      87ac53810ad125663519e944bc87ded3979cbee4

      SHA256

      f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

      SHA512

      e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      MD5

      5819c7a5d5b228e3596a3686cf9c51dc

      SHA1

      cbf8d49646d48e629875b4c0ae156e514176b32a

      SHA256

      93b8d2f16f2116c6c16475a522c96204a57189f7904e24d9e0c44c10efcbbfad

      SHA512

      e58726bbef07e03f8628b343cf6acab5dee1437ab3ad0cb22debf856eea5f61044208ba5a1c9a10b96f45b6a1ccd8e5354e7e35e38a028bc4be8ff77c748a916

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\cleanEarthExcel.....hta
      MD5

      d332518f2d331453d0dfa6044454acd6

      SHA1

      f5cc27a33a0ec2f092b9d9d645c01b30f8260438

      SHA256

      751930783e9376b73abf4573f972fc8670873c398ae9d361f7ede25f87470fd8

      SHA512

      9058907e2d47076ecb8cc9cfe1d48b99db365acd22fe13b11d09849f8390a617416b27716983d81b3bac51cc08256824e66cff1b15e1d166b7bbe09e686a6a85

      Download Submit

    • \??\c:\users\public\easyMicrosoftHop.jpg
      MD5

      48769565683695f9aa3aac3a044f006c

      SHA1

      74a503ba71a5f150c7ad06effd436840845c8f2b

      SHA256

      fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

      SHA512

      1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

      Download Submit

    • \Users\Public\easyMicrosoftHop.jpg
      MD5

      48769565683695f9aa3aac3a044f006c

      SHA1

      74a503ba71a5f150c7ad06effd436840845c8f2b

      SHA256

      fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

      SHA512

      1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

      Download Submit

    • \Users\Public\easyMicrosoftHop.jpg
      MD5

      48769565683695f9aa3aac3a044f006c

      SHA1

      74a503ba71a5f150c7ad06effd436840845c8f2b

      SHA256

      fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

      SHA512

      1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

      Download Submit

    • \Users\Public\easyMicrosoftHop.jpg
      MD5

      48769565683695f9aa3aac3a044f006c

      SHA1

      74a503ba71a5f150c7ad06effd436840845c8f2b

      SHA256

      fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

      SHA512

      1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

      Download Submit

    • memory/688-66-0x0000000000000000-mapping.dmp

      Download

    • memory/1280-76-0x00000000FF2B0000-0x00000000FF2FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1280-77-0x00000000FF2D4AB0-mapping.dmp

      Download

    • memory/1280-78-0x00000000FF2B0000-0x00000000FF2FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/1788-64-0x0000000000000000-mapping.dmp

      Download

    • memory/1856-71-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1856-70-0x0000000000000000-mapping.dmp

      Download

    • memory/1856-73-0x0000000000120000-0x0000000000138000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1904-63-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1904-60-0x0000000072651000-0x0000000072654000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1904-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1904-61-0x00000000700D1000-0x00000000700D3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1992-75-0x0000000000100000-0x0000000000118000-memory.dmp

      Filesize

      96KB

      Download