Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-04-2021 08:07

General

  • Target

    cv76.exe

  • Size

    98KB

  • MD5

    c41188e4415567a1465712a6c85331a6

  • SHA1

    2cbf699017e281693a517ff3c9e78f34e4126d6c

  • SHA256

    efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d

  • SHA512

    f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cv76.exe
    "C:\Users\Admin\AppData\Local\Temp\cv76.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\cv76.exe PN5H97D
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\system32\PING.EXE
        ping 8.8.7.7 -n 2
        3⤵
        • Runs ping.exe
        PID:3956
      • C:\Users\Admin\AppData\Local\Temp\cv76.exe
        C:\Users\Admin\AppData\Local\Temp\cv76.exe PN5H97D
        3⤵
          PID:1324

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Remote System Discovery

    1
    T1018

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1324-117-0x0000000000000000-mapping.dmp
    • memory/2632-114-0x0000022FB3410000-0x0000022FB3427000-memory.dmp
      Filesize

      92KB

    • memory/3956-116-0x0000000000000000-mapping.dmp
    • memory/3992-115-0x0000000000000000-mapping.dmp