Analysis
-
max time kernel
90s -
max time network
131s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
22-07-2021 03:28
Static task
static1
Behavioral task
behavioral1
Sample
9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll
Resource
win10v20210408
General
-
Target
9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll
-
Size
142KB
-
MD5
95ac6fda2d58ac5de7fd19220443e808
-
SHA1
666d8b10f5b39aec23bb67d7f03288c8dbcd45d8
-
SHA256
9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86
-
SHA512
3db7c4e7ea8338b99e1c38a7cb00c838cce734ae614342bb69aa43f89215ce05ed09461e62bf2b3d89bd5472b0559a9105b8a6a4216dd19d26ea190e4aa7931c
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/588-61-0x00000000FFFF44E0-mapping.dmp BazarBackdoorVar4 behavioral1/memory/588-60-0x00000000FFFD0000-0x0000000100021000-memory.dmp BazarBackdoorVar4 behavioral1/memory/588-62-0x00000000FFFD0000-0x0000000100021000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1104-59-0x0000000001C50000-0x0000000001D2C000-memory.dmp BazarLoaderVar6 behavioral1/memory/1636-65-0x0000000001BF0000-0x0000000001CCC000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1104 rundll32.exe 6 1104 rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1104 set thread context of 588 1104 rundll32.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepid process 1104 rundll32.exe 1104 rundll32.exe 1104 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exedescription pid process target process PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe PID 1104 wrote to memory of 588 1104 rundll32.exe svchost.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll,#11⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll,#1 5439857341⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
c2a8786e753aa13f05665e383d7ea3ac
SHA182af30ba72e1952e3b5808cdd613312d5c05ff5b
SHA25608cda9554078339dc539114376af62fc57a8ba9c7372745d03d9c57f9c7620be
SHA5126d151fc6000236360bf046203802a078a0f9d4f555cf23ea4b60b0b80e322d044ab0be609fa3bc03a7e82ffadd624709235d09dd3243a5cf299ae1fa9b83e333
-
memory/588-61-0x00000000FFFF44E0-mapping.dmp
-
memory/588-60-0x00000000FFFD0000-0x0000000100021000-memory.dmpFilesize
324KB
-
memory/588-62-0x00000000FFFD0000-0x0000000100021000-memory.dmpFilesize
324KB
-
memory/1104-59-0x0000000001C50000-0x0000000001D2C000-memory.dmpFilesize
880KB
-
memory/1636-65-0x0000000001BF0000-0x0000000001CCC000-memory.dmpFilesize
880KB