Resubmissions

24-08-2021 15:46

210824-t6hzlqqj4a 10

24-08-2021 15:30

210824-gm7skbgnee 10

24-08-2021 15:27

210824-68px7xses6 10

24-08-2021 15:17

210824-2783vynafn 10

04-08-2021 16:51

210804-8pmmxqpdzn 10

Analysis

  • max time kernel
    133s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-08-2021 15:27

General

  • Target

    JVrLyRD.dat.dll

  • Size

    242KB

  • MD5

    12e60d21fd9c8675368635ea5246e393

  • SHA1

    60ae64cd005f862797279fb151c9a0433b8e654c

  • SHA256

    70c2422033dd395c0a6c15b5e6dbdde34aa65b7481d4b8298e70e0c3e72a2182

  • SHA512

    6509c404b274af6250a241b441558d010729da12bbad47dd59c2da5a7480f682ff8c5bfeace9b2bc65db22f212b6399cd74f3f25ae22354db0ca8e06d85ed189

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JVrLyRD.dat.dll
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      2⤵
        PID:268

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/268-62-0x00000000FF490000-0x00000000FF4E1000-memory.dmp

      Filesize

      324KB

    • memory/268-64-0x00000000FF490000-0x00000000FF4E1000-memory.dmp

      Filesize

      324KB

    • memory/1648-60-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

      Filesize

      8KB

    • memory/1648-61-0x0000000001E50000-0x0000000001FE7000-memory.dmp

      Filesize

      1.6MB