bazarloader | dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b

General

Target

2b975f9e33ce44329dbc74941536432a.exe
Size

245KB
MD5

2b975f9e33ce44329dbc74941536432a
SHA1

22b0cd47fdc5b6b99812779f2d02ccb2ecc46705
SHA256

dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b
SHA512

ea718aa960d35e36345b5750e030fac0e1a91a59e2e7c6373149d0a183bbc41e70244836257b4c4e22f45b509a2f541db80e106568623ae5b9b1cb3186d5a951

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/528-3-0x0000000180000000-0x0000000180024000-memory.dmp	BazarLoaderVar1

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b975f9e33ce44329dbc74941536432a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\TB6FSHUKP4 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v K6WK1WN7P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2b975f9e33ce44329dbc74941536432a.exe KPYFB\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\2b975f9e33ce44329dbc74941536432a.exe KPYFB"	2b975f9e33ce44329dbc74941536432a.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1260 PING.EXE
1708 PING.EXE
1516 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2b975f9e33ce44329dbc74941536432a.exe

pid process

528 2b975f9e33ce44329dbc74941536432a.exe

pid	process
1260	PING.EXE
1708	PING.EXE
1516	PING.EXE

pid	process
528	2b975f9e33ce44329dbc74941536432a.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

2b975f9e33ce44329dbc74941536432a.execmd.exe2b975f9e33ce44329dbc74941536432a.execmd.exe2b975f9e33ce44329dbc74941536432a.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 1296	528	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 528 wrote to memory of 1296	528	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 528 wrote to memory of 1296	528	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1296 wrote to memory of 1260	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1260	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1260	1296	cmd.exe	PING.EXE
PID 1296 wrote to memory of 1268	1296	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1296 wrote to memory of 1268	1296	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1296 wrote to memory of 1268	1296	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1268 wrote to memory of 480	1268	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1268 wrote to memory of 480	1268	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1268 wrote to memory of 480	1268	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 480 wrote to memory of 1708	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1708	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 1708	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 924	480	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 480 wrote to memory of 924	480	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 480 wrote to memory of 924	480	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 924 wrote to memory of 1064	924	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 924 wrote to memory of 1064	924	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 924 wrote to memory of 1064	924	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 1064 wrote to memory of 1516	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1516	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 1516	1064	cmd.exe	PING.EXE
PID 1064 wrote to memory of 2008	1064	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1064 wrote to memory of 2008	1064	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 1064 wrote to memory of 2008	1064	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe

C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
"C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528
- C:\Windows\system32\cmd.exe
  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe UNVPQX
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\system32\PING.EXE
    ping 8.8.7.7 -n 2
    3⤵
    - Runs ping.exe
    PID:1260
- - C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
    C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe UNVPQX
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe E6RJ70R
      4⤵
      Suspicious use of WriteProcessMemory
      PID:480
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        5⤵
        Runs ping.exe
        
        PID:1708
    - - C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe E6RJ70R
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:924
      - C:\Windows\system32\cmd.exe
        
        cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe KPYFB
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        7⤵
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe KPYFB
        7⤵
        
        PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/480-9-0x0000000000000000-mapping.dmp

Download
memory/528-3-0x0000000180000000-0x0000000180024000-memory.dmp

Filesize
144KB

Download
memory/528-2-0x000000013F870000-0x000000013F8AF000-memory.dmp

Filesize
252KB

Download
memory/924-12-0x000000013F6B0000-0x000000013F6EF000-memory.dmp

Filesize
252KB

Download
memory/924-11-0x0000000000000000-mapping.dmp

Download
memory/1064-14-0x0000000000000000-mapping.dmp

Download
memory/1260-5-0x0000000000000000-mapping.dmp

Download
memory/1268-6-0x0000000000000000-mapping.dmp

Download
memory/1268-7-0x000000013F7F0000-0x000000013F82F000-memory.dmp

Filesize
252KB

Download
memory/1296-4-0x0000000000000000-mapping.dmp

Download
memory/1516-15-0x0000000000000000-mapping.dmp

Download
memory/1708-10-0x0000000000000000-mapping.dmp

Download
memory/2008-16-0x0000000000000000-mapping.dmp

Download
memory/2008-17-0x000000013F940000-0x000000013F97F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads