bazarloader | dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b

General

Target

2b975f9e33ce44329dbc74941536432a.exe
Size

245KB
MD5

2b975f9e33ce44329dbc74941536432a
SHA1

22b0cd47fdc5b6b99812779f2d02ccb2ecc46705
SHA256

dfbd75635b50926cf864349f436e8baf625881c2fd8cf9267d277d0b11dcc90b
SHA512

ea718aa960d35e36345b5750e030fac0e1a91a59e2e7c6373149d0a183bbc41e70244836257b4c4e22f45b509a2f541db80e106568623ae5b9b1cb3186d5a951

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3812-3-0x0000000180000000-0x0000000180024000-memory.dmp	BazarLoaderVar1

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2b975f9e33ce44329dbc74941536432a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	2b975f9e33ce44329dbc74941536432a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DJ1Z41273 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v XXGBWZFSP7 /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\2b975f9e33ce44329dbc74941536432a.exe PKFXLK\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\2b975f9e33ce44329dbc74941536432a.exe PKFXLK"	2b975f9e33ce44329dbc74941536432a.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1796 PING.EXE
3552 PING.EXE
2188 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2b975f9e33ce44329dbc74941536432a.exe

pid process

3812 2b975f9e33ce44329dbc74941536432a.exe
3812 2b975f9e33ce44329dbc74941536432a.exe

pid	process
1796	PING.EXE
3552	PING.EXE
2188	PING.EXE

pid	process
3812	2b975f9e33ce44329dbc74941536432a.exe
3812	2b975f9e33ce44329dbc74941536432a.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2b975f9e33ce44329dbc74941536432a.execmd.exe2b975f9e33ce44329dbc74941536432a.execmd.exe2b975f9e33ce44329dbc74941536432a.execmd.exe

description	pid	process	target process
PID 3812 wrote to memory of 2120	3812	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 3812 wrote to memory of 2120	3812	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 2120 wrote to memory of 1796	2120	cmd.exe	PING.EXE
PID 2120 wrote to memory of 1796	2120	cmd.exe	PING.EXE
PID 2120 wrote to memory of 2668	2120	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 2120 wrote to memory of 2668	2120	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 2668 wrote to memory of 4008	2668	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 2668 wrote to memory of 4008	2668	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 4008 wrote to memory of 3552	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 3552	4008	cmd.exe	PING.EXE
PID 4008 wrote to memory of 3680	4008	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 4008 wrote to memory of 3680	4008	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 3680 wrote to memory of 3908	3680	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 3680 wrote to memory of 3908	3680	2b975f9e33ce44329dbc74941536432a.exe	cmd.exe
PID 3908 wrote to memory of 2188	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 2188	3908	cmd.exe	PING.EXE
PID 3908 wrote to memory of 3044	3908	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe
PID 3908 wrote to memory of 3044	3908	cmd.exe	2b975f9e33ce44329dbc74941536432a.exe

C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
"C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe FJFTZ
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\PING.EXE
    ping 8.8.7.7 -n 2
    3⤵
    - Runs ping.exe
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
    C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe FJFTZ
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe ROU5
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        5⤵
        Runs ping.exe
        
        PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe ROU5
        5⤵
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3680
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe PKFXLK
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        7⤵
        Runs ping.exe
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe
        
        C:\Users\Admin\AppData\Local\Temp\2b975f9e33ce44329dbc74941536432a.exe PKFXLK
        7⤵
        
        PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-75-0x0000000000000000-mapping.dmp

Download
memory/2120-74-0x0000000000000000-mapping.dmp

Download
memory/2188-85-0x0000000000000000-mapping.dmp

Download
memory/2668-76-0x0000000000000000-mapping.dmp

Download
memory/3044-86-0x0000000000000000-mapping.dmp

Download
memory/3552-80-0x0000000000000000-mapping.dmp

Download
memory/3680-81-0x0000000000000000-mapping.dmp

Download
memory/3812-2-0x00007FF6EF270000-0x00007FF6EF2AF000-memory.dmp

Filesize
252KB

Download
memory/3812-3-0x0000000180000000-0x0000000180024000-memory.dmp

Filesize
144KB

Download
memory/3908-84-0x0000000000000000-mapping.dmp

Download
memory/4008-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads