Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 16:10
Static task
static1
Behavioral task
behavioral1
Sample
DocumentPreview.exe
Resource
win7
Behavioral task
behavioral2
Sample
DocumentPreview.exe
Resource
win10v200430
General
-
Target
DocumentPreview.exe
-
Size
302KB
-
MD5
7436b02a8347ca737c0dcefc3cb9eb39
-
SHA1
1633ce9565cb4a858a01a7ee2349a2ba9e62bee2
-
SHA256
030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5
-
SHA512
ce01339bc698c8afc9c828d5f64365ef26b82b8aac9b538283d50e16ce7ae37e7457d3487b35c284b2c14c31a87fc86f3a5ad57eafcd474ddbbd45d4d4ed3244
Malware Config
Signatures
-
Bazar Loader 13 IoCs
Detected loader normally used to deploy BazarBackdoor malware.
Processes:
DocumentPreview.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\My DocumentPreview.exe HTTP URL 11 https://78.108.216.13/api/v86 HTTP URL 15 https://217.12.209.44/api/v86 HTTP URL 16 https://217.12.209.44/api/v86 HTTP URL 17 https://185.99.2.191/api/v86 HTTP URL 14 https://217.12.209.44/api/v86 HTTP URL 18 https://185.99.2.191/api/v86 HTTP URL 19 https://185.99.2.191/api/v86 HTTP URL 6 https://51.77.112.254/api/v86 HTTP URL 9 https://51.77.112.254/api/v86 HTTP URL 10 https://51.77.112.254/api/v86 HTTP URL 12 https://78.108.216.13/api/v86 HTTP URL 13 https://78.108.216.13/api/v86 -
Executes dropped EXE 1 IoCs
Processes:
kfusadqe.exepid process 1544 kfusadqe.exe -
Tries to connect to .bazar domain 12 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
description flow ioc HTTP URL 6 https://51.77.112.254/api/v86 HTTP URL 10 https://51.77.112.254/api/v86 HTTP URL 11 https://78.108.216.13/api/v86 HTTP URL 12 https://78.108.216.13/api/v86 HTTP URL 13 https://78.108.216.13/api/v86 HTTP URL 14 https://217.12.209.44/api/v86 HTTP URL 15 https://217.12.209.44/api/v86 HTTP URL 16 https://217.12.209.44/api/v86 HTTP URL 17 https://185.99.2.191/api/v86 HTTP URL 18 https://185.99.2.191/api/v86 HTTP URL 9 https://51.77.112.254/api/v86 HTTP URL 19 https://185.99.2.191/api/v86 -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 1584 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 1584 wrote to memory of 1544 1584 cmd.exe kfusadqe.exe PID 1584 wrote to memory of 1544 1584 cmd.exe kfusadqe.exe PID 1584 wrote to memory of 1544 1584 cmd.exe kfusadqe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"1⤵
- Bazar Loader
PID:1508
-
C:\Windows\system32\cmd.execmd.exe / c "start "" /b "cmd.exe" /c "copy /y "C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe" "C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe"&&start "" /b "C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe" -z {3B0C56AA-928A-414D-B82D-5FB923B4D898}&&exit 0""1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe"C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe" -z {3B0C56AA-928A-414D-B82D-5FB923B4D898}2⤵
- Executes dropped EXE
PID:1544
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7436b02a8347ca737c0dcefc3cb9eb39
SHA11633ce9565cb4a858a01a7ee2349a2ba9e62bee2
SHA256030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5
SHA512ce01339bc698c8afc9c828d5f64365ef26b82b8aac9b538283d50e16ce7ae37e7457d3487b35c284b2c14c31a87fc86f3a5ad57eafcd474ddbbd45d4d4ed3244
-
MD5
7436b02a8347ca737c0dcefc3cb9eb39
SHA11633ce9565cb4a858a01a7ee2349a2ba9e62bee2
SHA256030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5
SHA512ce01339bc698c8afc9c828d5f64365ef26b82b8aac9b538283d50e16ce7ae37e7457d3487b35c284b2c14c31a87fc86f3a5ad57eafcd474ddbbd45d4d4ed3244