Analysis Overview
SHA256
4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142
Threat Level: Known bad
The file 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Process spawned unexpected child process
Bazar/Team9 Loader payload
Blocklisted process makes network request
Loads dropped DLL
Checks processor information in registry
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 09:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 09:55
Reported
2022-01-19 09:58
Platform
win10v2004-en-20220113
Max time kernel
152s
Max time network
158s
Command Line
Signatures
Bazar Loader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2700 wrote to memory of 1724 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
| PID 2700 wrote to memory of 1724 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll"
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Admin\JavaObjectReflectA.dll , dopt
Network
| Country | Destination | Domain | Proto |
| UA | 91.201.202.219:443 | tcp |
Files
memory/2700-130-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-131-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-132-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-133-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-134-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-137-0x00007FF9EB360000-0x00007FF9EB370000-memory.dmp
memory/2700-138-0x00007FF9EB360000-0x00007FF9EB370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll
| MD5 | 5a0e926c464b2ca981fefa8f4b6216f6 |
| SHA1 | e8bff4f832a2826b5479ada18cedb7ccd12dbac0 |
| SHA256 | 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142 |
| SHA512 | 1b5410ad5d99e87fa1673f9c99c3c3c2deb3768e358ea4faefccdbfbf5d7a9a8c5b5d446cbe8dfa4307ee51d648771f5a26ceaf39167a03c36d1e46150de1060 |
C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll
| MD5 | 5a0e926c464b2ca981fefa8f4b6216f6 |
| SHA1 | e8bff4f832a2826b5479ada18cedb7ccd12dbac0 |
| SHA256 | 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142 |
| SHA512 | 1b5410ad5d99e87fa1673f9c99c3c3c2deb3768e358ea4faefccdbfbf5d7a9a8c5b5d446cbe8dfa4307ee51d648771f5a26ceaf39167a03c36d1e46150de1060 |
C:\Users\Admin\JavaObjectReflectA.dll
| MD5 | a36f350eadc12edfd4e35f863d4b2dc5 |
| SHA1 | 8eef81465f900e935a40799dbba9f539a6c4bd13 |
| SHA256 | 5da98176670509a11fba5c5164ade843f4bb29d62c570a1b7a52d08caa09bab5 |
| SHA512 | 372ca8663311417dfdb2b52ca5c1f2156fe8971e96d988d5c96a409cb82114df55e7f3ed19fc0813c221b7cd16933cbd7cd653fbd1dfdfda22354516e5674b3e |
C:\Users\Admin\JavaObjectReflectA.dll
| MD5 | a36f350eadc12edfd4e35f863d4b2dc5 |
| SHA1 | 8eef81465f900e935a40799dbba9f539a6c4bd13 |
| SHA256 | 5da98176670509a11fba5c5164ade843f4bb29d62c570a1b7a52d08caa09bab5 |
| SHA512 | 372ca8663311417dfdb2b52ca5c1f2156fe8971e96d988d5c96a409cb82114df55e7f3ed19fc0813c221b7cd16933cbd7cd653fbd1dfdfda22354516e5674b3e |
memory/1724-152-0x0000000180000000-0x000000018003C000-memory.dmp
memory/2700-174-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-175-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-176-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp
memory/2700-177-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp