Overview

overview

10

Static

static

URLScan

urlscan

http://176.111.174.5...

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    04-05-2021 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://176.111.174.59/uploads/files/teret.exe

  • Sample

    210504-wtf6525d6x

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://176.111.174.59/uploads/files/teret.exe
    1⤵
    • Modifies Internet Explorer Phishing Filter
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3940
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe
      "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe
        3⤵
        • Blocklisted process makes network request
        PID:2252
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe
    C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe 297517731
    1⤵
    • Executes dropped EXE
    PID:3980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    10987a1d727697d22e9613985bf39eba

    SHA1

    d92fa559cdea14bdc068eb5388f4a8725d9d290c

    SHA256

    8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

    SHA512

    31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    9b6847f795a718357a6f68c4d571f6eb

    SHA1

    3b3e36142b606d11e9009e7128068965e282045e

    SHA256

    f83dc4b6ff2bb2d05b8ae36132bbb6f0295351e647091208cfe9ecfa0f1104c1

    SHA512

    9aac47a67f7bdb6b82c8d8db41ffb11570527526de32cbcde87fe08f41bfb218734afe1d218046dc8d72a7db1afc3a1417586028139a5bbc8b3fb8f0db28d8f6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe
    MD5

    43de3367faeffa04f28ad1e3e1f154eb

    SHA1

    f75d1719bb9a2f6a628a521a827bfbf26e44b9a2

    SHA256

    93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954

    SHA512

    53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe
    MD5

    43de3367faeffa04f28ad1e3e1f154eb

    SHA1

    f75d1719bb9a2f6a628a521a827bfbf26e44b9a2

    SHA256

    93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954

    SHA512

    53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZIIA2USJ\teret.exe.8bwzq9j.partial
    MD5

    43de3367faeffa04f28ad1e3e1f154eb

    SHA1

    f75d1719bb9a2f6a628a521a827bfbf26e44b9a2

    SHA256

    93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954

    SHA512

    53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069

    Download Submit
  • memory/672-114-0x00007FFD1F1F0000-0x00007FFD1F25B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2252-125-0x00007FF6F42A4474-mapping.dmp
    Download
  • memory/2252-124-0x00007FF6F4280000-0x00007FF6F42D1000-memory.dmp
    Filesize

    324KB

    Download
  • memory/2252-126-0x00007FF6F4280000-0x00007FF6F42D1000-memory.dmp
    Filesize

    324KB

    Download
  • memory/3488-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3488-119-0x0000022FBBEF0000-0x0000022FBBF2E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3940-115-0x0000000000000000-mapping.dmp
    Download
  • memory/3980-121-0x0000026D966D0000-0x0000026D9670E000-memory.dmp
    Filesize

    248KB

    Download