Overview
overview
10Static
static
814118.biy.dll
windows7_x64
814118.biy.dll
windows10_x64
814118.xlsb
windows7_x64
114118.xlsb
windows10_x64
1B24C.tmp.dll
windows7_x64
10B24C.tmp.dll
windows10_x64
10NZM32A4.exe
windows7_x64
10NZM32A4.exe
windows10_x64
10subscripti...0.xlsb
windows7_x64
10subscripti...0.xlsb
windows10_x64
10thqsg.exe
windows7_x64
10thqsg.exe
windows10_x64
10Analysis
-
max time kernel
122s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 05:42
Behavioral task
behavioral1
Sample
14118.biy.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
14118.biy.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
14118.xlsb
Resource
win7v20201028
Behavioral task
behavioral4
Sample
14118.xlsb
Resource
win10v20201028
Behavioral task
behavioral5
Sample
B24C.tmp.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
B24C.tmp.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
NZM32A4.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
NZM32A4.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
subscription_1617817060.xlsb
Resource
win7v20201028
Behavioral task
behavioral10
Sample
subscription_1617817060.xlsb
Resource
win10v20201028
Behavioral task
behavioral11
Sample
thqsg.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
thqsg.exe
Resource
win10v20201028
General
-
Target
thqsg.exe
-
Size
98KB
-
MD5
c41188e4415567a1465712a6c85331a6
-
SHA1
2cbf699017e281693a517ff3c9e78f34e4126d6c
-
SHA256
efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
-
SHA512
f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral12/memory/4760-2-0x0000028FDD3C0000-0x0000028FDD3D7000-memory.dmp BazarLoaderVar1 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
thqsg.exepid process 4760 thqsg.exe 4760 thqsg.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
thqsg.execmd.exedescription pid process target process PID 4760 wrote to memory of 4216 4760 thqsg.exe cmd.exe PID 4760 wrote to memory of 4216 4760 thqsg.exe cmd.exe PID 4216 wrote to memory of 2084 4216 cmd.exe PING.EXE PID 4216 wrote to memory of 2084 4216 cmd.exe PING.EXE PID 4216 wrote to memory of 4320 4216 cmd.exe thqsg.exe PID 4216 wrote to memory of 4320 4216 cmd.exe thqsg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\thqsg.exe"C:\Users\Admin\AppData\Local\Temp\thqsg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\thqsg.exe DZOF62⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.7.7 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\thqsg.exeC:\Users\Admin\AppData\Local\Temp\thqsg.exe DZOF63⤵