Analysis Overview
SHA256
52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2
Threat Level: Known bad
The file 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Process spawned unexpected child process
Bazar/Team9 Loader payload
Loads dropped DLL
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 02:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 02:35
Reported
2022-01-19 02:37
Platform
win10v2004-en-20220112
Max time kernel
109s
Max time network
125s
Command Line
Signatures
Bazar Loader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3748 wrote to memory of 2936 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
| PID 3748 wrote to memory of 2936 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll"
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Admin\JavaObjectReflectW.dll , dopt
Network
Files
memory/3748-130-0x00007FFDC2850000-0x00007FFDC2860000-memory.dmp
memory/3748-131-0x00007FFDC2850000-0x00007FFDC2860000-memory.dmp
memory/3748-132-0x00007FFDC2850000-0x00007FFDC2860000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll
| MD5 | 77461abc7157340cedea763e2813c965 |
| SHA1 | f842ba990c8df5f05d11d00873cbc5c0e082dff4 |
| SHA256 | 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2 |
| SHA512 | 0ce714c92719788605b4b8d7cb27b481963ce9a6084af183e75a246bc23d0fab65dc86fc395aa46d1ec8b47e0c9cfda7a0efd63dc9af865ce2bfd9668cb5b456 |
C:\Users\Admin\AppData\Local\Temp\52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2.xll
| MD5 | 77461abc7157340cedea763e2813c965 |
| SHA1 | f842ba990c8df5f05d11d00873cbc5c0e082dff4 |
| SHA256 | 52db9c20a7e362af2fd93800154e761a7fbc7253b9c97d77ec2df6c6e691e0c2 |
| SHA512 | 0ce714c92719788605b4b8d7cb27b481963ce9a6084af183e75a246bc23d0fab65dc86fc395aa46d1ec8b47e0c9cfda7a0efd63dc9af865ce2bfd9668cb5b456 |
C:\Users\Admin\JavaObjectReflectW.dll
| MD5 | da4c6c1fd8422d4d9ac56c83ad0a8edd |
| SHA1 | 5c80b6e4a30f552f9f35f228791b963608e5a2bc |
| SHA256 | b38586cb3f7ea70956ccded1963366d0ca3f0aa86c1962db49be27303f55045b |
| SHA512 | ac882263ae430e670d1edeb1f441e1fc6bde3f394dae86f6736388041a8587651e0c17cd6acc3328401b5eeac6454b619ca7d090a61d3d7e828229e1e221c2b1 |
C:\Users\Admin\JavaObjectReflectW.dll
| MD5 | da4c6c1fd8422d4d9ac56c83ad0a8edd |
| SHA1 | 5c80b6e4a30f552f9f35f228791b963608e5a2bc |
| SHA256 | b38586cb3f7ea70956ccded1963366d0ca3f0aa86c1962db49be27303f55045b |
| SHA512 | ac882263ae430e670d1edeb1f441e1fc6bde3f394dae86f6736388041a8587651e0c17cd6acc3328401b5eeac6454b619ca7d090a61d3d7e828229e1e221c2b1 |
memory/2936-952-0x0000000180000000-0x000000018003C000-memory.dmp