Analysis

  • max time kernel
    129s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v200722
  • submitted
    14/10/2020, 05:50

General

  • Target

    1 (4).exe

  • Size

    2.1MB

  • MD5

    9cd1f319f58c3979399c1779d5a34bc2

  • SHA1

    5e231182bb592a76e989e0bab636eb5066ab9f20

  • SHA256

    093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3

  • SHA512

    633da47509ab091d356dac14f3467c347c289eceeb56b6dd455cb11c1ba227b2c40d257c968c32288388eca72b8dc5f8def2124c3e571884e59e5e2fa8df22f3

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

  • Bazar/Team9 Backdoor payload 1 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1 (4).exe
    "C:\Users\Admin\AppData\Local\Temp\1 (4).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\system32\cmd.exe
      "cmd"
      2⤵
        PID:1600

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1304-0-0x00000000005E0000-0x0000000000628000-memory.dmp

            Filesize

            288KB

          • memory/1304-1-0x0000000180000000-0x000000018004D000-memory.dmp

            Filesize

            308KB

          • memory/1600-2-0x0000000140000000-0x0000000140043000-memory.dmp

            Filesize

            268KB