Analysis
-
max time kernel
21s -
max time network
89s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
20-10-2020 16:43
Static task
static1
Behavioral task
behavioral1
Sample
8d35e058f5631c80b00dd695511878e3.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
8d35e058f5631c80b00dd695511878e3.exe
Resource
win10
General
-
Target
8d35e058f5631c80b00dd695511878e3.exe
-
Size
12.0MB
-
MD5
8d35e058f5631c80b00dd695511878e3
-
SHA1
8103299196efabec8ec0fc1d25f1332241b93220
-
SHA256
0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789
-
SHA512
be5a25d3a6d1ead76fcb7e72a5150e2ba267354e2fedfd646a823cb096ed24132cc44b2d5cc2c926aed7ce01179d76ceb4d57a2b8e03950cb9d844a2704ca6f7
Malware Config
Signatures
-
BazarBackdoor 4 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 16 https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/2 HTTP URL 13 https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4 HTTP URL 14 https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4 HTTP URL 15 https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4 -
Blacklisted process makes network request 4 IoCs
Processes:
cmd.exeflow pid process 13 1112 cmd.exe 14 1112 cmd.exe 15 1112 cmd.exe 16 1112 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
8d35e058f5631c80b00dd695511878e3.exedescription pid process target process PID 1516 set thread context of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe -
Processes:
8d35e058f5631c80b00dd695511878e3.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 8d35e058f5631c80b00dd695511878e3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 8d35e058f5631c80b00dd695511878e3.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8d35e058f5631c80b00dd695511878e3.exe8d35e058f5631c80b00dd695511878e3.exepid process 1516 8d35e058f5631c80b00dd695511878e3.exe 1492 8d35e058f5631c80b00dd695511878e3.exe -
Suspicious use of WriteProcessMemory 852 IoCs
Processes:
8d35e058f5631c80b00dd695511878e3.exedescription pid process target process PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe PID 1516 wrote to memory of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe"C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe"1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe2⤵
- Blacklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exeC:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe 6210778931⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1112-5-0x0000000049EC0000-0x0000000049F04000-memory.dmpFilesize
272KB
-
memory/1112-6-0x0000000049EDD968-mapping.dmp
-
memory/1112-7-0x0000000049EC0000-0x0000000049F04000-memory.dmpFilesize
272KB
-
memory/1492-4-0x0000000001D00000-0x0000000001D2E000-memory.dmpFilesize
184KB
-
memory/1516-0-0x0000000001D40000-0x0000000001D6D000-memory.dmpFilesize
180KB
-
memory/1516-1-0x0000000001D70000-0x0000000001D9E000-memory.dmpFilesize
184KB
-
memory/1628-2-0x000007FEF8560000-0x000007FEF87DA000-memory.dmpFilesize
2.5MB