Analysis Overview
SHA256
9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138
Threat Level: Known bad
The file 9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Process spawned unexpected child process
Bazar/Team9 Loader payload
Blocklisted process makes network request
Loads dropped DLL
Enumerates system info in registry
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 09:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 09:23
Reported
2022-01-19 09:25
Platform
win10-en-20211208
Max time kernel
131s
Max time network
142s
Command Line
Signatures
Bazar Loader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 684 wrote to memory of 2028 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
| PID 684 wrote to memory of 2028 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138.xll"
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Admin\JavaObjectReflectY.dll , dopt
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.21:443 | tcp | |
| US | 52.109.8.21:443 | tcp | |
| UA | 91.201.202.219:443 | tcp | |
| NL | 194.147.115.132:443 | tcp |
Files
memory/684-115-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-116-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-117-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-118-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-121-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-128-0x00007FFCAD840000-0x00007FFCAD850000-memory.dmp
memory/684-129-0x00007FFCAD840000-0x00007FFCAD850000-memory.dmp
\Users\Admin\AppData\Local\Temp\9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138.xll
| MD5 | 13bc88ede0b07077de8c91f1d552939b |
| SHA1 | f517a3933b6aaffe605b8a625c34eeff2ac53cb9 |
| SHA256 | 9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138 |
| SHA512 | 1814fd33d280e20c5f53e19de0ace86c4e98abf785ef351837458f0b4660bdae3c377bb6a5eda8881fd0ea8b0bde28ed98a319839e747f118422bfda9de2662e |
\Users\Admin\AppData\Local\Temp\9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138.xll
| MD5 | 13bc88ede0b07077de8c91f1d552939b |
| SHA1 | f517a3933b6aaffe605b8a625c34eeff2ac53cb9 |
| SHA256 | 9bfe3e664dea6ec4c143d6beb35b7cef737163ee64f78e06e4d779859c046138 |
| SHA512 | 1814fd33d280e20c5f53e19de0ace86c4e98abf785ef351837458f0b4660bdae3c377bb6a5eda8881fd0ea8b0bde28ed98a319839e747f118422bfda9de2662e |
C:\Users\Admin\JavaObjectReflectY.dll
| MD5 | 7367c0c6a7ec3a6b2dbeddf7f163f953 |
| SHA1 | af7361a8955aee907c960c22b3d5229f424cf3e2 |
| SHA256 | 301f3f5edb4d5c56934eaa6b3a2bf30747919e549e3a7234c9e04032a9fed3b8 |
| SHA512 | 960b9686423b9cf40a061c3dcbb4c14179f81d38f3ae336b0f6fa3bd4c917f96780d1470825c458898df485f27d23267c344c279938b516c9225e7e8c98e352d |
\Users\Admin\JavaObjectReflectY.dll
| MD5 | 7367c0c6a7ec3a6b2dbeddf7f163f953 |
| SHA1 | af7361a8955aee907c960c22b3d5229f424cf3e2 |
| SHA256 | 301f3f5edb4d5c56934eaa6b3a2bf30747919e549e3a7234c9e04032a9fed3b8 |
| SHA512 | 960b9686423b9cf40a061c3dcbb4c14179f81d38f3ae336b0f6fa3bd4c917f96780d1470825c458898df485f27d23267c344c279938b516c9225e7e8c98e352d |
memory/2028-269-0x0000000180000000-0x000000018003C000-memory.dmp
memory/684-289-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-290-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-291-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp
memory/684-292-0x00007FFCB13B0000-0x00007FFCB13C0000-memory.dmp