Overview

overview

10

Static

static

TIMECLOCK.exe

windows10_x64

10

Resubmissions

18-01-2022 06:34

220118-hb7wyaabep 10

15-09-2021 06:41

210915-hf8n2adaeq 10

15-09-2021 06:33

210915-hbdm4adael 1

Analysis

  • max time kernel
    546s
  • max time network
    560s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    15-09-2021 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TIMECLOCK.exe

  • Size

    460KB

  • MD5

    513b43a30628978d52d18912b72dcdd0

  • SHA1

    97368003849122e99dc7b0e25b4b37b2999053ee

  • SHA256

    47bac27be954cf593ac731cd57fa98b565cf5036a6fbf35c508549f039eea8f3

  • SHA512

    a8e846109b644df3e905e33ae2218b5f0c7f65efd2a202c2d2c38a89d2e979d4379862b545523b7338855f51f087ad4d7c41746197e9f233e938ed4bbfbb5c0c

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 5 IoCs
  • Blocklisted process makes network request 8 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe
    "C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe
      2⤵
      • Blocklisted process makes network request
      PID:2748
  • C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe
    C:\Users\Admin\AppData\Local\Temp\TIMECLOCK.exe {436805BE-460E-422E-B39A-3662EDDE0573}
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DRMDU4BX\vACTH0kTwC[1]
    MD5

    ba30004f9864a7c1d22963da098ae937

    SHA1

    a2281da007709cfa6117a3cb8386be1fd810502e

    SHA256

    51a3fbc42187965a2ca26b16514e8dc39f97ea8f8429ea437ef31bc308fc8d35

    SHA512

    58596d7e0965e6fb16f629ef248affdf6232fd56e06e632eeba52c1e1b7c5cbf85ba00f1944ec0f55d6f0d4df8e784f6e04f42944736fd988dabce9a68e57caa

    Download Submit

  • memory/996-114-0x00000000023C0000-0x00000000023D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/996-117-0x00000000023E0000-0x00000000023F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/996-120-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2084-121-0x0000000002180000-0x0000000002194000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2084-124-0x00000000021A0000-0x00000000021B6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2748-127-0x0000000000E00000-0x0000000000E43000-memory.dmp

    Filesize

    268KB

    Download

  • memory/2748-128-0x0000000000E24525-mapping.dmp

    Download

  • memory/2748-129-0x0000000000E00000-0x0000000000E43000-memory.dmp

    Filesize

    268KB

    Download