Malware Analysis Report

2025-04-13 11:50

Sample ID 220119-bcxc9sedfk
Target 09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93
SHA256 09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93

Threat Level: Known bad

The file 09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93 was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Process spawned unexpected child process

Bazar/Team9 Loader payload

Loads dropped DLL

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-19 01:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-19 01:00

Reported

2022-01-19 01:03

Platform

win10-en-20211208

Max time kernel

122s

Max time network

153s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93.xll"

Signatures

Bazar Loader

loader dropper bazarloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 1324 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\rundll32.exe
PID 3736 wrote to memory of 1324 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\rundll32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93.xll"

C:\Windows\SYSTEM32\rundll32.exe

rundll32 C:\Users\Admin\JavaObjectReflectiveJ.dll , dopt

Network

Files

memory/3736-115-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-116-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-117-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-118-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-119-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-128-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmp

memory/3736-129-0x00007FF9F7A00000-0x00007FF9F7A10000-memory.dmp

\Users\Admin\AppData\Local\Temp\09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93.xll

MD5 fa8506376e363d8dfa767e7e4da6b56b
SHA1 c2d9101667a55f430c0513cbf748be8723b9e245
SHA256 09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93
SHA512 1074927abee15cfc9a51ab9cc160a8c339a7a2989399d5543ed2d00daa03b544b0d92d02eb35c8fad3ed037ae00e125619d587cfd3506322c337c56b21c15865

\Users\Admin\AppData\Local\Temp\09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93.xll

MD5 fa8506376e363d8dfa767e7e4da6b56b
SHA1 c2d9101667a55f430c0513cbf748be8723b9e245
SHA256 09f0d56342e53b1af01eceb399c3f0bde5e61ff654d9117a57868466750e2e93
SHA512 1074927abee15cfc9a51ab9cc160a8c339a7a2989399d5543ed2d00daa03b544b0d92d02eb35c8fad3ed037ae00e125619d587cfd3506322c337c56b21c15865

C:\Users\Admin\JavaObjectReflectiveJ.dll

MD5 80937e9a897f114fc78402e487edcb8a
SHA1 520ded1ede32e17fa09febb0ac79bdad4351dd83
SHA256 9a9f73d1465e020955add917e085582f69123c467abf4b188880e726587896a2
SHA512 a762abdc6240370d00c1533558a7dbe2a154b18747930a487c50ea590e7ac550c026985826131f17b7e74f2477a5e2e42c33d5fddc770961c16501e3916137fa

\Users\Admin\JavaObjectReflectiveJ.dll

MD5 80937e9a897f114fc78402e487edcb8a
SHA1 520ded1ede32e17fa09febb0ac79bdad4351dd83
SHA256 9a9f73d1465e020955add917e085582f69123c467abf4b188880e726587896a2
SHA512 a762abdc6240370d00c1533558a7dbe2a154b18747930a487c50ea590e7ac550c026985826131f17b7e74f2477a5e2e42c33d5fddc770961c16501e3916137fa

memory/1324-258-0x0000000180000000-0x000000018003C000-memory.dmp

memory/3736-276-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-277-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-278-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp

memory/3736-279-0x00007FF9FB330000-0x00007FF9FB340000-memory.dmp