Analysis
-
max time kernel
126s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
27-09-2021 11:04
Static task
static1
Behavioral task
behavioral1
Sample
malware-bahaya-rt3ret3.exe
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
malware-bahaya-rt3ret3.exe
Resource
win10v20210408
General
-
Target
malware-bahaya-rt3ret3.exe
-
Size
236KB
-
MD5
efa4b2e7d7016a1f80efff5840de3a18
-
SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb
-
SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
-
SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/664-114-0x0000000180000000-0x0000000180032000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
PLC7B21.exePLC7B21.exepid process 3864 PLC7B21.exe 2164 PLC7B21.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
PLC7B21.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce PLC7B21.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ZUGLAD6YA = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v J9QIBEZUVZ /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PLC7B21.exe\\\" FLOZK4E\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PLC7B21.exe\" FLOZK4E" PLC7B21.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2088 PING.EXE 3844 PING.EXE 2640 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
malware-bahaya-rt3ret3.exepid process 664 malware-bahaya-rt3ret3.exe 664 malware-bahaya-rt3ret3.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
malware-bahaya-rt3ret3.execmd.exemalware-bahaya-rt3ret3.execmd.exePLC7B21.execmd.exedescription pid process target process PID 664 wrote to memory of 2368 664 malware-bahaya-rt3ret3.exe cmd.exe PID 664 wrote to memory of 2368 664 malware-bahaya-rt3ret3.exe cmd.exe PID 2368 wrote to memory of 2640 2368 cmd.exe PING.EXE PID 2368 wrote to memory of 2640 2368 cmd.exe PING.EXE PID 2368 wrote to memory of 2724 2368 cmd.exe malware-bahaya-rt3ret3.exe PID 2368 wrote to memory of 2724 2368 cmd.exe malware-bahaya-rt3ret3.exe PID 2724 wrote to memory of 2728 2724 malware-bahaya-rt3ret3.exe cmd.exe PID 2724 wrote to memory of 2728 2724 malware-bahaya-rt3ret3.exe cmd.exe PID 2728 wrote to memory of 2088 2728 cmd.exe PING.EXE PID 2728 wrote to memory of 2088 2728 cmd.exe PING.EXE PID 2728 wrote to memory of 3864 2728 cmd.exe PLC7B21.exe PID 2728 wrote to memory of 3864 2728 cmd.exe PLC7B21.exe PID 3864 wrote to memory of 3036 3864 PLC7B21.exe cmd.exe PID 3864 wrote to memory of 3036 3864 PLC7B21.exe cmd.exe PID 3036 wrote to memory of 3844 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 3844 3036 cmd.exe PING.EXE PID 3036 wrote to memory of 2164 3036 cmd.exe PLC7B21.exe PID 3036 wrote to memory of 2164 3036 cmd.exe PLC7B21.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe"C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe BKCJC2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exeC:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe BKCJC3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe XGAA4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exeC:\Users\Admin\AppData\Local\Temp\PLC7B21.exe XGAA5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe FLOZK4E6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exeC:\Users\Admin\AppData\Local\Temp\PLC7B21.exe FLOZK4E7⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exeMD5
efa4b2e7d7016a1f80efff5840de3a18
SHA104606786daa6313867c7ada1f0c9c925d9b602fb
SHA256291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA51211446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exeMD5
efa4b2e7d7016a1f80efff5840de3a18
SHA104606786daa6313867c7ada1f0c9c925d9b602fb
SHA256291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA51211446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exeMD5
efa4b2e7d7016a1f80efff5840de3a18
SHA104606786daa6313867c7ada1f0c9c925d9b602fb
SHA256291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA51211446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
memory/664-114-0x0000000180000000-0x0000000180032000-memory.dmpFilesize
200KB
-
memory/2088-124-0x0000000000000000-mapping.dmp
-
memory/2164-133-0x0000000000000000-mapping.dmp
-
memory/2368-117-0x0000000000000000-mapping.dmp
-
memory/2640-118-0x0000000000000000-mapping.dmp
-
memory/2724-119-0x0000000000000000-mapping.dmp
-
memory/2728-123-0x0000000000000000-mapping.dmp
-
memory/3036-131-0x0000000000000000-mapping.dmp
-
memory/3844-132-0x0000000000000000-mapping.dmp
-
memory/3864-125-0x0000000000000000-mapping.dmp