Analysis
-
max time kernel
123s -
max time network
106s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 08:05
Static task
static1
Behavioral task
behavioral1
Sample
c41188e4415567a1465712a6c85331a6.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c41188e4415567a1465712a6c85331a6.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
c41188e4415567a1465712a6c85331a6.exe
-
Size
98KB
-
MD5
c41188e4415567a1465712a6c85331a6
-
SHA1
2cbf699017e281693a517ff3c9e78f34e4126d6c
-
SHA256
efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
-
SHA512
f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1084-60-0x00000000002E0000-0x00000000002F7000-memory.dmp BazarLoaderVar1 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c41188e4415567a1465712a6c85331a6.exepid process 1084 c41188e4415567a1465712a6c85331a6.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
c41188e4415567a1465712a6c85331a6.execmd.exedescription pid process target process PID 1084 wrote to memory of 1700 1084 c41188e4415567a1465712a6c85331a6.exe cmd.exe PID 1084 wrote to memory of 1700 1084 c41188e4415567a1465712a6c85331a6.exe cmd.exe PID 1084 wrote to memory of 1700 1084 c41188e4415567a1465712a6c85331a6.exe cmd.exe PID 1700 wrote to memory of 604 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 604 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 604 1700 cmd.exe PING.EXE PID 1700 wrote to memory of 744 1700 cmd.exe c41188e4415567a1465712a6c85331a6.exe PID 1700 wrote to memory of 744 1700 cmd.exe c41188e4415567a1465712a6c85331a6.exe PID 1700 wrote to memory of 744 1700 cmd.exe c41188e4415567a1465712a6c85331a6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c41188e4415567a1465712a6c85331a6.exe"C:\Users\Admin\AppData\Local\Temp\c41188e4415567a1465712a6c85331a6.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\c41188e4415567a1465712a6c85331a6.exe UN102⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.7.7 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\c41188e4415567a1465712a6c85331a6.exeC:\Users\Admin\AppData\Local\Temp\c41188e4415567a1465712a6c85331a6.exe UN103⤵