Overview

overview

10

Static

static

e390ab08f8...1e.exe

windows7_x64

10

e390ab08f8...1e.exe

windows10_x64

10

Resubmissions

27-09-2020 00:33

200927-n2q2v3n43s 6

10-09-2020 08:49

200910-c8x1yrxskj 10

Analysis

  • max time kernel
    70s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10-09-2020 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe

  • Size

    379KB

  • MD5

    9f00d78f2e8e4523773a264f85be1c02

  • SHA1

    3c542144a7a03134060bd666206a106bcea95e5a

  • SHA256

    e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e

  • SHA512

    5760967703d0702d4c855b75c895a2432c809ca8f945f2a80914f21b3c8129c4bbf155bac4bb5fa6b03e868b3d33cfbe1b3321a7b438741cd62d1c3323d38928

Score
10/10
persistenceloaderdropperbazarloaderbackdoorbazarbackdoor

Malware Config

Signatures

  • Bazar Loader 14 IoCs

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 831 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
    "C:\Users\Admin\AppData\Local\Temp\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe"
    1⤵
    • Bazar Loader
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Windows\system32\cmd.exe
      cmd /c TIMEOUT /T 50 /NOBREAK && move "C:\Users\Admin\AppData\Local\Temp\lkuttqbctx" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Control Panel.lnk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\system32\timeout.exe
        TIMEOUT /T 50 /NOBREAK
        3⤵
        • Delays execution with timeout.exe
        PID:2004
    • C:\Users\Admin\AppData\Local\Temp\shpgmfthgd.exe
      C:\Users\Admin\AppData\Local\Temp\shpgmfthgd.exe /NO_AUTOSTART 82.146.37.128
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\explorer.exe
        explorer.exe
        3⤵
          PID:1148

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\lkuttqbctx
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\shpgmfthgd.exe
      Download Submit
    • \Users\Admin\AppData\Local\Temp\shpgmfthgd.exe
      Download Submit
    • memory/936-13-0x000007FEF65F0000-0x000007FEF686A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/1148-9-0x00000000FF1A0000-0x00000000FF25D000-memory.dmp
      Filesize

      756KB

      Download
    • memory/1148-10-0x00000000FF23B824-mapping.dmp
      Download
    • memory/1148-11-0x00000000FF1A0000-0x00000000FF25D000-memory.dmp
      Filesize

      756KB

      Download
    • memory/1500-0-0x0000000001D80000-0x0000000001DB3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1500-1-0x0000000001DC0000-0x0000000001DF2000-memory.dmp
      Filesize

      200KB

      Download
    • memory/1732-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1964-5-0x0000000000000000-mapping.dmp
      Download
    • memory/2004-3-0x0000000000000000-mapping.dmp
      Download