Analysis
-
max time kernel
88s -
max time network
41s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27-07-2021 14:54
Static task
static1
Behavioral task
behavioral1
Sample
iCoreBr.jpg.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
iCoreBr.jpg.dll
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
iCoreBr.jpg.dll
-
Size
1.3MB
-
MD5
132e6560ca121679635684e812586bba
-
SHA1
6f48b7929e65aac27f3bf3cce24c7ad40624dc74
-
SHA256
c882f778e40b276c90d467816deda7605d9955e4302aa6ab7467aeae3f155048
-
SHA512
3c3fd439c29e36a2ef174f82c4df36c89a87bbc2e280753166bc25b14b6066fc6b0eff7101e4b301e51722271b76ebdb79dbf58a201a7a4c8bcb64e708e6a4a5
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/468-60-0x0000000027340000-0x00000000273A4000-memory.dmp BazarLoaderVar3 behavioral1/memory/692-65-0x0000000002010000-0x0000000002074000-memory.dmp BazarLoaderVar3 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
regsvr32.exepid process 692 regsvr32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
regsvr32.execmd.exedescription pid process target process PID 468 wrote to memory of 1604 468 regsvr32.exe cmd.exe PID 468 wrote to memory of 1604 468 regsvr32.exe cmd.exe PID 468 wrote to memory of 1604 468 regsvr32.exe cmd.exe PID 1604 wrote to memory of 1520 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1520 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 1520 1604 cmd.exe PING.EXE PID 1604 wrote to memory of 692 1604 cmd.exe regsvr32.exe PID 1604 wrote to memory of 692 1604 cmd.exe regsvr32.exe PID 1604 wrote to memory of 692 1604 cmd.exe regsvr32.exe PID 1604 wrote to memory of 692 1604 cmd.exe regsvr32.exe PID 1604 wrote to memory of 692 1604 cmd.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 83⤵
- Runs ping.exe
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\iCoreBr.jpg.dll" mscp ahis3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/468-59-0x000007FEFB531000-0x000007FEFB533000-memory.dmpFilesize
8KB
-
memory/468-60-0x0000000027340000-0x00000000273A4000-memory.dmpFilesize
400KB
-
memory/692-63-0x0000000000000000-mapping.dmp
-
memory/692-65-0x0000000002010000-0x0000000002074000-memory.dmpFilesize
400KB
-
memory/1520-62-0x0000000000000000-mapping.dmp
-
memory/1604-61-0x0000000000000000-mapping.dmp