Malware Analysis Report

2025-04-13 11:50

Sample ID 220119-lyafqsggh5
Target 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142
SHA256 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142

Threat Level: Known bad

The file 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142 was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Process spawned unexpected child process

Bazar/Team9 Loader payload

Blocklisted process makes network request

Loads dropped DLL

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-19 09:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-19 09:55

Reported

2022-01-19 09:58

Platform

win10v2004-en-20220113

Max time kernel

152s

Max time network

158s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll"

Signatures

Bazar Loader

loader dropper bazarloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process N/A C:\Windows\SYSTEM32\rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 1724 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\rundll32.exe
PID 2700 wrote to memory of 1724 N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE C:\Windows\SYSTEM32\rundll32.exe

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll"

C:\Windows\SYSTEM32\rundll32.exe

rundll32 C:\Users\Admin\JavaObjectReflectA.dll , dopt

Network

Country Destination Domain Proto
UA 91.201.202.219:443 tcp

Files

memory/2700-130-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-131-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-132-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-133-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-134-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-137-0x00007FF9EB360000-0x00007FF9EB370000-memory.dmp

memory/2700-138-0x00007FF9EB360000-0x00007FF9EB370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll

MD5 5a0e926c464b2ca981fefa8f4b6216f6
SHA1 e8bff4f832a2826b5479ada18cedb7ccd12dbac0
SHA256 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142
SHA512 1b5410ad5d99e87fa1673f9c99c3c3c2deb3768e358ea4faefccdbfbf5d7a9a8c5b5d446cbe8dfa4307ee51d648771f5a26ceaf39167a03c36d1e46150de1060

C:\Users\Admin\AppData\Local\Temp\4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142.xll

MD5 5a0e926c464b2ca981fefa8f4b6216f6
SHA1 e8bff4f832a2826b5479ada18cedb7ccd12dbac0
SHA256 4507c736a5aa8756e4ae1f5a43f16fffbf1f8536cde0f450eb2fb8e9edf68142
SHA512 1b5410ad5d99e87fa1673f9c99c3c3c2deb3768e358ea4faefccdbfbf5d7a9a8c5b5d446cbe8dfa4307ee51d648771f5a26ceaf39167a03c36d1e46150de1060

C:\Users\Admin\JavaObjectReflectA.dll

MD5 a36f350eadc12edfd4e35f863d4b2dc5
SHA1 8eef81465f900e935a40799dbba9f539a6c4bd13
SHA256 5da98176670509a11fba5c5164ade843f4bb29d62c570a1b7a52d08caa09bab5
SHA512 372ca8663311417dfdb2b52ca5c1f2156fe8971e96d988d5c96a409cb82114df55e7f3ed19fc0813c221b7cd16933cbd7cd653fbd1dfdfda22354516e5674b3e

C:\Users\Admin\JavaObjectReflectA.dll

MD5 a36f350eadc12edfd4e35f863d4b2dc5
SHA1 8eef81465f900e935a40799dbba9f539a6c4bd13
SHA256 5da98176670509a11fba5c5164ade843f4bb29d62c570a1b7a52d08caa09bab5
SHA512 372ca8663311417dfdb2b52ca5c1f2156fe8971e96d988d5c96a409cb82114df55e7f3ed19fc0813c221b7cd16933cbd7cd653fbd1dfdfda22354516e5674b3e

memory/1724-152-0x0000000180000000-0x000000018003C000-memory.dmp

memory/2700-174-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-175-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-176-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp

memory/2700-177-0x00007FF9ED5B0000-0x00007FF9ED5C0000-memory.dmp