Analysis Overview
SHA256
56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350
Threat Level: Known bad
The file 56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Process spawned unexpected child process
Bazar/Team9 Loader payload
Blocklisted process makes network request
Loads dropped DLL
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 13:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 13:55
Reported
2022-01-19 13:58
Platform
win10-en-20211208
Max time kernel
129s
Max time network
153s
Command Line
Signatures
Bazar Loader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3596 wrote to memory of 2112 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
| PID 3596 wrote to memory of 2112 | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | C:\Windows\SYSTEM32\rundll32.exe |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350.xll"
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Admin\JavaObjectReflectG.dll , dopt
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 52.109.8.19:443 | tcp | |
| UA | 91.201.202.219:443 | tcp | |
| NL | 194.147.115.132:443 | tcp | |
| UA | 194.38.20.30:443 | 194.38.20.30 | tcp |
| RU | 188.127.251.106:443 | tcp |
Files
memory/3596-115-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-116-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-117-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-118-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-119-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-128-0x00007FF978E10000-0x00007FF978E20000-memory.dmp
memory/3596-129-0x00007FF978E10000-0x00007FF978E20000-memory.dmp
\Users\Admin\AppData\Local\Temp\56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350.xll
| MD5 | f198da6e1ffc5c8e76e126412f6a0fe8 |
| SHA1 | e3f2a10f79f2b07e2a80c5d218e15cc1ae3b9a8e |
| SHA256 | 56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350 |
| SHA512 | e72f270c1b75748fc04201bb774eec09fdf6113f6e41f83a4a0dba55e253fd50a7579fae8ed38eb01fd1072980455373d1fb2413d4e84449b22d569e1fe991e5 |
\Users\Admin\AppData\Local\Temp\56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350.xll
| MD5 | f198da6e1ffc5c8e76e126412f6a0fe8 |
| SHA1 | e3f2a10f79f2b07e2a80c5d218e15cc1ae3b9a8e |
| SHA256 | 56d8a969497fe0cf90aa6e71c8f7c1a2e76b621d0b18876db8e3ca198a7b4350 |
| SHA512 | e72f270c1b75748fc04201bb774eec09fdf6113f6e41f83a4a0dba55e253fd50a7579fae8ed38eb01fd1072980455373d1fb2413d4e84449b22d569e1fe991e5 |
C:\Users\Admin\JavaObjectReflectG.dll
| MD5 | cc4209b9713dd9ba7418035c0d7b2fb7 |
| SHA1 | 170719c68d52aa5ae561bda8801ecd44ca9ea797 |
| SHA256 | 707d05f7e3bff16e3e8e6b8de3226207cd8cba02fbd42e635b3569548826e309 |
| SHA512 | 6e2108494c55185148b82bcdad309144166baf6a639d4dc87c8bcf3d9aa96ae7c29d59224978fbe25af214d1f3e86829f81ed928dae237a62789d3f2af04f2e4 |
\Users\Admin\JavaObjectReflectG.dll
| MD5 | cc4209b9713dd9ba7418035c0d7b2fb7 |
| SHA1 | 170719c68d52aa5ae561bda8801ecd44ca9ea797 |
| SHA256 | 707d05f7e3bff16e3e8e6b8de3226207cd8cba02fbd42e635b3569548826e309 |
| SHA512 | 6e2108494c55185148b82bcdad309144166baf6a639d4dc87c8bcf3d9aa96ae7c29d59224978fbe25af214d1f3e86829f81ed928dae237a62789d3f2af04f2e4 |
memory/2112-263-0x0000000180000000-0x000000018003C000-memory.dmp
memory/3596-301-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-302-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-303-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp
memory/3596-304-0x00007FF97BC30000-0x00007FF97BC40000-memory.dmp