Analysis Overview
SHA256
59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c
Threat Level: Known bad
The file 59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Process spawned unexpected child process
Bazar/Team9 Loader payload
Blocklisted process makes network request
Loads dropped DLL
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 09:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 09:15
Reported
2022-01-19 09:17
Platform
win10-en-20211208
Max time kernel
118s
Max time network
139s
Command Line
Signatures
Bazar Loader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1260 wrote to memory of 2316 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
| PID 1260 wrote to memory of 2316 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c.xll"
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Admin\JavaObjectReflectiveK.dll , dopt
Network
| Country | Destination | Domain | Proto |
| UA | 91.201.202.219:443 | tcp | |
| NL | 194.147.115.132:443 | tcp | |
| UA | 194.38.20.30:443 | 194.38.20.30 | tcp |
| RU | 188.127.251.106:443 | tcp |
Files
memory/1260-115-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-116-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-117-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-118-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-121-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-128-0x00007FF89A3C0000-0x00007FF89A3D0000-memory.dmp
memory/1260-129-0x00007FF89A3C0000-0x00007FF89A3D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c.xll
| MD5 | d9dc8d21d1b662803907276a1c131b2c |
| SHA1 | ad15b7c845390a2964af34255cf50db8c1c98a8e |
| SHA256 | 59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c |
| SHA512 | 680afcc6bd570457b5c146fb9812dbcdf07fc1990c928f5152ac509203accbc8c7e0c194bdd221ac1c01cd63a813218e5b003597293a5e8ddef0fe73a1daca1b |
\Users\Admin\AppData\Local\Temp\59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c.xll
| MD5 | d9dc8d21d1b662803907276a1c131b2c |
| SHA1 | ad15b7c845390a2964af34255cf50db8c1c98a8e |
| SHA256 | 59136a8738af5783756405f46526e99f705dd94a14dd2629de96880814dacc0c |
| SHA512 | 680afcc6bd570457b5c146fb9812dbcdf07fc1990c928f5152ac509203accbc8c7e0c194bdd221ac1c01cd63a813218e5b003597293a5e8ddef0fe73a1daca1b |
C:\Users\Admin\JavaObjectReflectiveK.dll
| MD5 | aa29ef7467008ceb187a07099a974820 |
| SHA1 | 7edf8380bf24322fb619acfc47c8f69a6aac8841 |
| SHA256 | c3fb8d7cad4bb609173087f40868a60012b3030f6b5b8b21ef50ba83df477412 |
| SHA512 | e8a0fe107925ef33f03b5398a9deb72bbb87d7d7023fff17cbaa794e79673c36cb078e747970ca06a5b1dce298ca707e86abc895a99f11639b0c9ddf782587c5 |
\Users\Admin\JavaObjectReflectiveK.dll
| MD5 | aa29ef7467008ceb187a07099a974820 |
| SHA1 | 7edf8380bf24322fb619acfc47c8f69a6aac8841 |
| SHA256 | c3fb8d7cad4bb609173087f40868a60012b3030f6b5b8b21ef50ba83df477412 |
| SHA512 | e8a0fe107925ef33f03b5398a9deb72bbb87d7d7023fff17cbaa794e79673c36cb078e747970ca06a5b1dce298ca707e86abc895a99f11639b0c9ddf782587c5 |
memory/2316-259-0x0000000180000000-0x000000018003C000-memory.dmp
memory/1260-277-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-278-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-279-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp
memory/1260-280-0x00007FF89DB10000-0x00007FF89DB20000-memory.dmp