Analysis

  • max time kernel
    126s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14/10/2020, 05:50

General

  • Target

    1 (4).exe

  • Size

    2.1MB

  • MD5

    9cd1f319f58c3979399c1779d5a34bc2

  • SHA1

    5e231182bb592a76e989e0bab636eb5066ab9f20

  • SHA256

    093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3

  • SHA512

    633da47509ab091d356dac14f3467c347c289eceeb56b6dd455cb11c1ba227b2c40d257c968c32288388eca72b8dc5f8def2124c3e571884e59e5e2fa8df22f3

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

  • Bazar/Team9 Backdoor payload 1 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1 (4).exe
    "C:\Users\Admin\AppData\Local\Temp\1 (4).exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd"
      2⤵
        PID:1380

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/976-0-0x0000000000750000-0x0000000000798000-memory.dmp

            Filesize

            288KB

          • memory/976-1-0x0000000180000000-0x000000018004D000-memory.dmp

            Filesize

            308KB

          • memory/1380-2-0x0000000140000000-0x0000000140043000-memory.dmp

            Filesize

            268KB