Analysis Overview
SHA256
b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114
Threat Level: Known bad
The file b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Bazar Loader
Bazar/Team9 Loader payload
Blocklisted process makes network request
Loads dropped DLL
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 01:07
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 01:07
Reported
2022-01-19 01:10
Platform
win10-en-20211208
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Bazar Loader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3812 wrote to memory of 2128 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
| PID 3812 wrote to memory of 2128 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114.xll"
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Admin\JavaObjectReflectiveH.dll , dopt
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 52.109.8.21:443 | tcp | |
| UA | 91.201.202.219:443 | tcp | |
| NL | 194.147.115.132:443 | tcp | |
| UA | 194.38.20.30:443 | 194.38.20.30 | tcp |
Files
memory/3812-115-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-116-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-117-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-118-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-121-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-128-0x00007FFD2F860000-0x00007FFD2F870000-memory.dmp
memory/3812-129-0x00007FFD2F860000-0x00007FFD2F870000-memory.dmp
\Users\Admin\AppData\Local\Temp\b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114.xll
| MD5 | f75225bfef07aa3184aa677b61520bd3 |
| SHA1 | dc32f7bdb0fb5c76df8dd1a235ef9c0f85138af6 |
| SHA256 | b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114 |
| SHA512 | 08c3c4c7e9674cbc14a6ed456c6778dc527dc905300e14bd990be73eccc890ce60b7f7d39c41a8e6da659efa3d1b3b671b5cdf30aa7fbc5d5b495b334017824e |
\Users\Admin\AppData\Local\Temp\b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114.xll
| MD5 | f75225bfef07aa3184aa677b61520bd3 |
| SHA1 | dc32f7bdb0fb5c76df8dd1a235ef9c0f85138af6 |
| SHA256 | b9161245a81bdee1f12e09a4a66abb8ec219f10a4fbfa2023dcf2ca4a2ab7114 |
| SHA512 | 08c3c4c7e9674cbc14a6ed456c6778dc527dc905300e14bd990be73eccc890ce60b7f7d39c41a8e6da659efa3d1b3b671b5cdf30aa7fbc5d5b495b334017824e |
C:\Users\Admin\JavaObjectReflectiveH.dll
| MD5 | 03d090b80f9ff069f3158e12508f7ec1 |
| SHA1 | d6de6820ed51d175c75bb4e02d193dd39cce5911 |
| SHA256 | 6702da5432883a5de6c2be16f1f05867aad6925d166ee36ca9f61ad4efc352f3 |
| SHA512 | c320576a303dc0614b9960199aa4a91821c090840ec45351ccbb7c4d57d1c1b56463dac0c5318c6ca6a18eaae2b90940d817571b8f70e3729fa3ffbc8210850e |
\Users\Admin\JavaObjectReflectiveH.dll
| MD5 | 03d090b80f9ff069f3158e12508f7ec1 |
| SHA1 | d6de6820ed51d175c75bb4e02d193dd39cce5911 |
| SHA256 | 6702da5432883a5de6c2be16f1f05867aad6925d166ee36ca9f61ad4efc352f3 |
| SHA512 | c320576a303dc0614b9960199aa4a91821c090840ec45351ccbb7c4d57d1c1b56463dac0c5318c6ca6a18eaae2b90940d817571b8f70e3729fa3ffbc8210850e |
memory/2128-259-0x0000000180000000-0x000000018003C000-memory.dmp
memory/3812-281-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-282-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-283-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp
memory/3812-284-0x00007FFD329F0000-0x00007FFD32A00000-memory.dmp