Resubmissions
18-01-2022 06:34
220118-hb7wyaabep 1015-09-2021 06:41
210915-hf8n2adaeq 1015-09-2021 06:33
210915-hbdm4adael 1Analysis
-
max time kernel
546s -
max time network
560s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-09-2021 06:41
Static task
static1
Behavioral task
behavioral1
Sample
TIMECLOCK.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
General
-
Target
TIMECLOCK.exe
-
Size
460KB
-
MD5
513b43a30628978d52d18912b72dcdd0
-
SHA1
97368003849122e99dc7b0e25b4b37b2999053ee
-
SHA256
47bac27be954cf593ac731cd57fa98b565cf5036a6fbf35c508549f039eea8f3
-
SHA512
a8e846109b644df3e905e33ae2218b5f0c7f65efd2a202c2d2c38a89d2e979d4379862b545523b7338855f51f087ad4d7c41746197e9f233e938ed4bbfbb5c0c
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 5 IoCs
resource yara_rule behavioral1/memory/996-114-0x00000000023C0000-0x00000000023D4000-memory.dmp BazarLoaderVar1 behavioral1/memory/996-117-0x00000000023E0000-0x00000000023F6000-memory.dmp BazarLoaderVar1 behavioral1/memory/996-120-0x00000000023A0000-0x00000000023B2000-memory.dmp BazarLoaderVar1 behavioral1/memory/2084-121-0x0000000002180000-0x0000000002194000-memory.dmp BazarLoaderVar1 behavioral1/memory/2084-124-0x00000000021A0000-0x00000000021B6000-memory.dmp BazarLoaderVar1 -
Blocklisted process makes network request 8 IoCs
flow pid Process 20 2748 cmd.exe 27 2748 cmd.exe 30 2748 cmd.exe 31 2748 cmd.exe 32 2748 cmd.exe 33 2748 cmd.exe 34 2748 cmd.exe 35 2748 cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 996 set thread context of 2748 996 TIMECLOCK.exe 76 -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 996 TIMECLOCK.exe 996 TIMECLOCK.exe 2084 TIMECLOCK.exe 2084 TIMECLOCK.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76 PID 996 wrote to memory of 2748 996 TIMECLOCK.exe 76
Processes
-
C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe"C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe2⤵
- Blocklisted process makes network request
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exeC:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe {436805BE-460E-422E-B39A-3662EDDE0573}1⤵
- Suspicious use of SetWindowsHookEx
PID:2084