bazarbackdoor | 5cd0951a1172d5b029f180da1d44826bb6ca117acf15df52671464038114455f

General

Target

facts.08.21.doc
Size

75KB
MD5

97d717e44f8f2faf01af69a10886718a
SHA1

87b6c88f1dbc252f957d960f5c3fa9970f5ba76d
SHA256

5cd0951a1172d5b029f180da1d44826bb6ca117acf15df52671464038114455f
SHA512

7d2aa1ad1b02a393086ed6bcaed85a58c4421962a283cd5e7a088d6a1f03af9f9dead8e4a894ac4a7921507c114f60cce1d198c921965efe3561073af316d259

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1972	1672	cmd.exe	WINWORD.EXE

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/316-78-0x00000000FF400000-0x00000000FF451000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/316-79-0x00000000FF4246D0-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/316-80-0x00000000FF400000-0x00000000FF451000-memory.dmp	BazarBackdoorVar4

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

6 2024 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

616 regsvr32.exe
1816 regsvr32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1816 set thread context of 316 1816 regsvr32.exe svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
6	2024	mshta.exe

pid	process
616	regsvr32.exe
1816	regsvr32.exe

description	pid	process	target process
PID 1816 set thread context of 316	1816	regsvr32.exe	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1672 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exe

pid process

1816 regsvr32.exe
1816 regsvr32.exe
1816 regsvr32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1672 WINWORD.EXE
1672 WINWORD.EXE

pid	process
1672	WINWORD.EXE

pid	process
1816	regsvr32.exe
1816	regsvr32.exe
1816	regsvr32.exe

pid	process
1672	WINWORD.EXE
1672	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.exemshta.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1672 wrote to memory of 1972	1672	WINWORD.EXE	cmd.exe
PID 1672 wrote to memory of 1972	1672	WINWORD.EXE	cmd.exe
PID 1672 wrote to memory of 1972	1672	WINWORD.EXE	cmd.exe
PID 1672 wrote to memory of 1972	1672	WINWORD.EXE	cmd.exe
PID 1972 wrote to memory of 2024	1972	cmd.exe	mshta.exe
PID 1972 wrote to memory of 2024	1972	cmd.exe	mshta.exe
PID 1972 wrote to memory of 2024	1972	cmd.exe	mshta.exe
PID 1972 wrote to memory of 2024	1972	cmd.exe	mshta.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 2024 wrote to memory of 616	2024	mshta.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 616 wrote to memory of 1816	616	regsvr32.exe	regsvr32.exe
PID 1672 wrote to memory of 1652	1672	WINWORD.EXE	splwow64.exe
PID 1672 wrote to memory of 1652	1672	WINWORD.EXE	splwow64.exe
PID 1672 wrote to memory of 1652	1672	WINWORD.EXE	splwow64.exe
PID 1672 wrote to memory of 1652	1672	WINWORD.EXE	splwow64.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe
PID 1816 wrote to memory of 316	1816	regsvr32.exe	svchost.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\facts.08.21.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\users\public\varForFor.hta
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\varForFor.hta"
3⤵
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\varForFor.jpg
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\regsvr32.exe
c:\users\public\varForFor.jpg
5⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
6⤵
PID:316

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe ,StartW 3815695406
1⤵
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
82f6f67a0fbe08910a29f23806d2e7a2

SHA1
a25d8d39c46921c762314901896328e7ac973258

SHA256
e609bdafacc1ba6556f371fddee5822ca2ba182383a8e121f3d36cfa83dfcce0

SHA512
44938f8df8037cc78f483ca7cd6c36abe71602b71d4e5d8a5df11aaf3928a7c903edbd7d2356f86eaf7d097289f4b17a8acc413e3387988dd0fc62ce221f6b7e

Download Submit
C:\users\public\varForFor.hta
MD5
2fe2f205b4408edf309a5ee9056e89e7

SHA1
b838a7417d9d5ec5a1c74974690dbbac3cdf5159

SHA256
3face3dc221495c3abf4a4c186c54f1f36dd43476b00e956756c874080e786c9

SHA512
990ea265a03ec30f53f19e2a78571cee4adf76075ec84e1a765d1680a4cf2f45494f1854a16e4e34d561b8210435e95e0d7efc586983de82ff4f977942f1b174

Download Submit
\??\c:\users\public\varForFor.jpg
MD5
f060b82d3ee660d4cd49ee38c77256fa

SHA1
5d38a3ca275a7dbf63adba82d5bd32c35a5cb2ea

SHA256
68f4414a96fd9204bb285b50b438339a00f4f20801cd4c9df07d4357774428aa

SHA512
f117a041b82b92336f8e19aa8e4fc6f3cea06a0e0ec91641a5bb70429d853c2e2669515d56f1a5a8d8cd0737b34567d90774cc8a905655daf8872d4055531059

Download Submit
\Users\Public\varForFor.jpg
MD5
f060b82d3ee660d4cd49ee38c77256fa

SHA1
5d38a3ca275a7dbf63adba82d5bd32c35a5cb2ea

SHA256
68f4414a96fd9204bb285b50b438339a00f4f20801cd4c9df07d4357774428aa

SHA512
f117a041b82b92336f8e19aa8e4fc6f3cea06a0e0ec91641a5bb70429d853c2e2669515d56f1a5a8d8cd0737b34567d90774cc8a905655daf8872d4055531059

Download Submit
\Users\Public\varForFor.jpg
MD5
f060b82d3ee660d4cd49ee38c77256fa

SHA1
5d38a3ca275a7dbf63adba82d5bd32c35a5cb2ea

SHA256
68f4414a96fd9204bb285b50b438339a00f4f20801cd4c9df07d4357774428aa

SHA512
f117a041b82b92336f8e19aa8e4fc6f3cea06a0e0ec91641a5bb70429d853c2e2669515d56f1a5a8d8cd0737b34567d90774cc8a905655daf8872d4055531059

Download Submit
memory/316-78-0x00000000FF400000-0x00000000FF451000-memory.dmp

Filesize
324KB

Download
memory/316-79-0x00000000FF4246D0-mapping.dmp

Download
memory/316-80-0x00000000FF400000-0x00000000FF451000-memory.dmp

Filesize
324KB

Download
memory/616-68-0x0000000000000000-mapping.dmp

Download
memory/1652-76-0x0000000000000000-mapping.dmp

Download
memory/1672-83-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1672-61-0x0000000070471000-0x0000000070473000-memory.dmp

Filesize
8KB

Download
memory/1672-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1672-63-0x0000000075971000-0x0000000075973000-memory.dmp

Filesize
8KB

Download
memory/1672-60-0x00000000729F1000-0x00000000729F4000-memory.dmp

Filesize
12KB

Download
memory/1816-72-0x0000000000000000-mapping.dmp

Download
memory/1816-75-0x00000000002D0000-0x00000000002F5000-memory.dmp

Filesize
148KB

Download
memory/1816-73-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1972-64-0x0000000000000000-mapping.dmp

Download
memory/2024-67-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads