Analysis
-
max time kernel
151s -
max time network
180s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-07-2021 16:29
Static task
static1
Behavioral task
behavioral1
Sample
baza-or-cs.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
baza-or-cs.dll
Resource
win10v20210410
General
-
Target
baza-or-cs.dll
-
Size
153KB
-
MD5
ea3612919bf05b66e9a608bee742a422
-
SHA1
032747a1658fea7f8d624c11ae965f3218f96909
-
SHA256
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
-
SHA512
f2f049ef68cd5c06511dab2ef82a67e0aa44ac583ec5e84ec7cba1627f47c31a748ad58e1b065401b162a4266f753ac842efceef7cbe33efb0a9d8399365e2c7
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/996-60-0x00000000FF670000-0x00000000FF6C1000-memory.dmp BazarBackdoorVar4 behavioral1/memory/996-61-0x00000000FF694550-mapping.dmp BazarBackdoorVar4 behavioral1/memory/996-64-0x00000000FF670000-0x00000000FF6C1000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-59-0x0000000001BA0000-0x0000000001C7C000-memory.dmp BazarLoaderVar6 behavioral1/memory/380-65-0x0000000000220000-0x00000000002FC000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1944 rundll32.exe 7 1944 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1944 set thread context of 996 1944 rundll32.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepid process 1944 rundll32.exe 1944 rundll32.exe 1944 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exedescription pid process target process PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe PID 1944 wrote to memory of 996 1944 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baza-or-cs.dll,#11⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\baza-or-cs.dll,#1 30046150581⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
cf2bfd48781236d6efdedf65f776f0a7
SHA11afc5c5f53796a611a1ca53b0b9498c2aa2e27ae
SHA2562d0b97ea26dbc9a5cb24e3fca19ee1faaa1c419f914a05103d578e7e23d9813c
SHA5122d7a6e19566a53a6f0b45f567968bc8610bf8823b58068f53d5528b474f64d1ffded2ceeee4f2f05ed31a2b445b83cbfcf557c265813b9439a701c91ba58d0fc
-
memory/380-65-0x0000000000220000-0x00000000002FC000-memory.dmpFilesize
880KB
-
memory/996-60-0x00000000FF670000-0x00000000FF6C1000-memory.dmpFilesize
324KB
-
memory/996-61-0x00000000FF694550-mapping.dmp
-
memory/996-64-0x00000000FF670000-0x00000000FF6C1000-memory.dmpFilesize
324KB
-
memory/1944-59-0x0000000001BA0000-0x0000000001C7C000-memory.dmpFilesize
880KB