Malware Analysis Report

2025-04-13 11:50

Sample ID 220119-c2z15aehaq
Target 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2
SHA256 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2

Threat Level: Known bad

The file 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2 was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Process spawned unexpected child process

Bazar/Team9 Loader payload

Loads dropped DLL

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-19 02:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-19 02:35

Reported

2022-01-19 02:37

Platform

win10v2004-en-20220112

Max time kernel

109s

Max time network

125s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll"

Signatures

Bazar Loader

loader dropper bazarloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3748 wrote to memory of 2936 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\rundll32.exe
PID 3748 wrote to memory of 2936 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\rundll32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll"

C:\Windows\SYSTEM32\rundll32.exe

rundll32 C:\Users\Admin\JavaObjectReflectW.dll , dopt

Network

Files

memory/3748-130-0x00007FFDC2850000-0x00007FFDC2860000-memory.dmp

memory/3748-131-0x00007FFDC2850000-0x00007FFDC2860000-memory.dmp

memory/3748-132-0x00007FFDC2850000-0x00007FFDC2860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll

MD5 77461abc7157340cedea763e2813c965
SHA1 f842ba990c8df5f05d11d00873cbc5c0e082dff4
SHA256 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2
SHA512 0ce714c92719788605b4b8d7cb27b481963ce9a6084af183e75a246bc23d0fab65dc86fc395aa46d1ec8b47e0c9cfda7a0efd63dc9af865ce2bfd9668cb5b456

C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll

MD5 77461abc7157340cedea763e2813c965
SHA1 f842ba990c8df5f05d11d00873cbc5c0e082dff4
SHA256 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2
SHA512 0ce714c92719788605b4b8d7cb27b481963ce9a6084af183e75a246bc23d0fab65dc86fc395aa46d1ec8b47e0c9cfda7a0efd63dc9af865ce2bfd9668cb5b456

C:\Users\Admin\JavaObjectReflectW.dll

MD5 da4c6c1fd8422d4d9ac56c83ad0a8edd
SHA1 5c80b6e4a30f552f9f35f228791b963608e5a2bc
SHA256 b38586cb3f7ea70956ccded1963366d0ca3f0aa86c1962db49be27303f55045b
SHA512 ac882263ae430e670d1edeb1f441e1fc6bde3f394dae86f6736388041a8587651e0c17cd6acc3328401b5eeac6454b619ca7d090a61d3d7e828229e1e221c2b1

C:\Users\Admin\JavaObjectReflectW.dll

MD5 da4c6c1fd8422d4d9ac56c83ad0a8edd
SHA1 5c80b6e4a30f552f9f35f228791b963608e5a2bc
SHA256 b38586cb3f7ea70956ccded1963366d0ca3f0aa86c1962db49be27303f55045b
SHA512 ac882263ae430e670d1edeb1f441e1fc6bde3f394dae86f6736388041a8587651e0c17cd6acc3328401b5eeac6454b619ca7d090a61d3d7e828229e1e221c2b1

memory/2936-952-0x0000000180000000-0x000000018003C000-memory.dmp