bazarloader | dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b

General

Target

2b975f9e33ce44329dbc74941536432a.exe
Size

245KB
MD5

2b975f9e33ce44329dbc74941536432a
SHA1

22b0cd47fdc5b6b99812779f2d02ccb2ecc46705
SHA256

dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b
SHA512

ea718aa960d35e36345b5750e030fac0e1a91a59e2e7c6373149d0a183bbc41e70244836257b4c4e22f45b509a2f541db80e106568623ae5b9b1cb3186d5a951

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/528-3-0x0000000180000000-0x0000000180024000-memory.dmp	BazarLoaderVar1

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b975f9e33ce44329dbc74941536432a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TB6FSHUKP4 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v K6WK1WN7P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2b975f9e33ce44329dbc74941536432a.exe KPYFB\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\2b975f9e33ce44329dbc74941536432a.exe KPYFB"	2b975f9e33ce44329dbc74941536432a.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1260 PING.EXE
1708 PING.EXE
1516 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2b975f9e33ce44329dbc74941536432a.exe

pid process

528 2b975f9e33ce44329dbc74941536432a.exe

pid	process
1260	PING.EXE
1708	PING.EXE
1516	PING.EXE

pid	process
528	2b975f9e33ce44329dbc74941536432a.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2b975f9e33ce44329dbc74941536432a.execmd.exe2b975f9e33ce44329dbc74941536432a.execmd.exe2b975f9e33ce44329dbc74941536432a.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 1296	528	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 528 wrote to memory of 1296	528	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 528 wrote to memory of 1296	528	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1296 wrote to memory of 1260	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1260	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1260	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1268	1296	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1296 wrote to memory of 1268	1296	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1296 wrote to memory of 1268	1296	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1268 wrote to memory of 480	1268	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1268 wrote to memory of 480	1268	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1268 wrote to memory of 480	1268	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 480 wrote to memory of 1708	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1708	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1708	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 924	480	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 480 wrote to memory of 924	480	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 480 wrote to memory of 924	480	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 924 wrote to memory of 1064	924	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 924 wrote to memory of 1064	924	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 924 wrote to memory of 1064	924	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1516	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1516	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 2008	1064	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1064 wrote to memory of 2008	1064	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1064 wrote to memory of 2008	1064	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe

C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
"C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe UNVPQX
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
3⤵
- Runs ping.exe
PID:1260

C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe UNVPQX
3⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe E6RJ70R
4⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
5⤵
- Runs ping.exe
PID:1708

C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe E6RJ70R
5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe KPYFB
6⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
7⤵
- Runs ping.exe
PID:1516

C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe KPYFB
7⤵
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/480-9-0x0000000000000000-mapping.dmp

Download
memory/528-3-0x0000000180000000-0x0000000180024000-memory.dmp

Filesize
144KB

Download
memory/528-2-0x000000013F870000-0x000000013F8AF000-memory.dmp

Filesize
252KB

Download
memory/924-12-0x000000013F6B0000-0x000000013F6EF000-memory.dmp

Filesize
252KB

Download
memory/924-11-0x0000000000000000-mapping.dmp

Download
memory/1064-14-0x0000000000000000-mapping.dmp

Download
memory/1260-5-0x0000000000000000-mapping.dmp

Download
memory/1268-6-0x0000000000000000-mapping.dmp

Download
memory/1268-7-0x000000013F7F0000-0x000000013F82F000-memory.dmp

Filesize
252KB

Download
memory/1296-4-0x0000000000000000-mapping.dmp

Download
memory/1516-15-0x0000000000000000-mapping.dmp

Download
memory/1708-10-0x0000000000000000-mapping.dmp

Download
memory/2008-16-0x0000000000000000-mapping.dmp

Download
memory/2008-17-0x000000013F940000-0x000000013F97F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads