Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 14:38
Static task
static1
Behavioral task
behavioral1
Sample
DocumentPreview.exe
Resource
win7
Behavioral task
behavioral2
Sample
DocumentPreview.exe
Resource
win10v200430
General
-
Target
DocumentPreview.exe
-
Size
259KB
-
MD5
343a2579cafed501bcad9ad2ebd010e6
-
SHA1
2462cbff6243ba3eb179aa4f799d1a6fc41dac18
-
SHA256
a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd
-
SHA512
7adeb12f79dd63d91c5cc2864fa15ed48605e122a4a968993f95e986d84bf33baf4c02344ce957e25af2ff5270fab6af211b10947f47a6127b445ce8b5474e48
Malware Config
Signatures
-
Bazar Loader 12 IoCs
Detected loader normally used to deploy BazarBackdoor malware.
Processes:
DocumentPreview.exedescription flow ioc HTTP URL 17 https://66.70.218.37/api/v86 Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\My DocumentPreview.exe HTTP URL 5 https://86.104.194.108/api/v86 HTTP URL 10 https://217.12.209.44/api/v86 HTTP URL 13 https://194.5.249.109/api/v86 HTTP URL 14 https://194.5.249.109/api/v86 HTTP URL 16 https://66.70.218.37/api/v86 HTTP URL 8 https://86.104.194.108/api/v86 HTTP URL 9 https://86.104.194.108/api/v86 HTTP URL 11 https://217.12.209.44/api/v86 HTTP URL 12 https://217.12.209.44/api/v86 HTTP URL 15 https://194.5.249.109/api/v86 -
Executes dropped EXE 1 IoCs
Processes:
byespqnb.exepid process 1572 byespqnb.exe -
Tries to connect to .bazar domain 11 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
description flow ioc HTTP URL 13 https://194.5.249.109/api/v86 HTTP URL 14 https://194.5.249.109/api/v86 HTTP URL 15 https://194.5.249.109/api/v86 HTTP URL 16 https://66.70.218.37/api/v86 HTTP URL 8 https://86.104.194.108/api/v86 HTTP URL 9 https://86.104.194.108/api/v86 HTTP URL 11 https://217.12.209.44/api/v86 HTTP URL 17 https://66.70.218.37/api/v86 HTTP URL 5 https://86.104.194.108/api/v86 HTTP URL 10 https://217.12.209.44/api/v86 HTTP URL 12 https://217.12.209.44/api/v86 -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1588 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1588 wrote to memory of 1572 1588 cmd.exe byespqnb.exe PID 1588 wrote to memory of 1572 1588 cmd.exe byespqnb.exe PID 1588 wrote to memory of 1572 1588 cmd.exe byespqnb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"1⤵
- Bazar Loader
PID:112
-
C:\Windows\system32\cmd.execmd.exe / c "start "" /b "cmd.exe" /c "copy /y "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe" "C:\Users\Admin\AppData\Local\Temp\byespqnb.exe"&&start "" /b "C:\Users\Admin\AppData\Local\Temp\byespqnb.exe" -z {834E8EE4-0C09-469A-878E-97B1A09282E9}&&exit 0""1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\byespqnb.exe"C:\Users\Admin\AppData\Local\Temp\byespqnb.exe" -z {834E8EE4-0C09-469A-878E-97B1A09282E9}2⤵
- Executes dropped EXE
PID:1572
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
343a2579cafed501bcad9ad2ebd010e6
SHA12462cbff6243ba3eb179aa4f799d1a6fc41dac18
SHA256a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd
SHA5127adeb12f79dd63d91c5cc2864fa15ed48605e122a4a968993f95e986d84bf33baf4c02344ce957e25af2ff5270fab6af211b10947f47a6127b445ce8b5474e48
-
MD5
343a2579cafed501bcad9ad2ebd010e6
SHA12462cbff6243ba3eb179aa4f799d1a6fc41dac18
SHA256a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd
SHA5127adeb12f79dd63d91c5cc2864fa15ed48605e122a4a968993f95e986d84bf33baf4c02344ce957e25af2ff5270fab6af211b10947f47a6127b445ce8b5474e48