bazarbackdoor | 1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2

General

Target

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
Size

332KB
MD5

a41429f7dbecfb76e6b7534afbeb4f74
SHA1

68f48d169b4f62189b3e43c3615aa7e4314e9459
SHA256

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2
SHA512

6957ba5090a5e36feec28fb5d4abeab7ec068ceb212bc7b3f2a10ac568f80b4a925e5d9b0815fc9e936897924c51d9c51fa1af35da508b2d6e0a179c26797bf6

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/740-14-0x0000000140000000-0x0000000140040000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/740-15-0x0000000140017F2C-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/740-16-0x0000000140000000-0x0000000140040000-memory.dmp	BazarBackdoorVar4

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe

description pid process target process

PID 3952 set thread context of 740 3952 1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe cmd.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	pid	process	target process
PID 3952 set thread context of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 8e4dd2816087d601	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe

pid	process
3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 1776 svchost.exe
Token: SeCreatePagefilePrivilege 1776 svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1776	svchost.exe
Token: SeCreatePagefilePrivilege	1776	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe

description	pid	process	target process
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe
PID 3952 wrote to memory of 740	3952	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
"C:\Users\Admin\AppData\Local\Temp\1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SYSTEM32\cmd.exe
"cmd"
2⤵
PID:740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Users\Admin\AppData\Local\Temp\1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
"C:\Users\Admin\AppData\Local\Temp\1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe" -r {ED73E169-002B-4531-8839-0C117FC16C6A}
1⤵
PID:3432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-14-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/740-15-0x0000000140017F2C-mapping.dmp

Download
memory/740-16-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3952-0-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/3952-1-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download
memory/3952-3-0x0000000002380000-0x00000000023AA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads