Analysis
-
max time kernel
1750s -
max time network
1754s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 01:25
General
-
Target
diretto_09.21.doc
-
Size
131KB
-
MD5
b00b548fde0aed1436f7ec6f9a87b007
-
SHA1
6a54bc7bc4f8a7c6747e26733482bda28d8e3054
-
SHA256
8d9a5a1713cf71f93f7a79045d329f690233df1273e2eba1e9f0dc6dae28411a
-
SHA512
3003ec06428c49459a79f6a78322ff3d10a5cab499ed1897a78ebdf052b1bd289518c8d89c21e2171cfeec6c46203cdfbe63aef444f34522124647f38cba0aa6
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Tries to connect to .bazar domain 14 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Loads dropped DLL 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\diretto_09.21.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\aprilAccessWindows...hTa" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" c:\users\public\aprilAccessWindows.jpg3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exec:\users\public\aprilAccessWindows.jpg4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup5⤵
-
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe c:\users\public\aprilAccessWindows.jpg,DllRegisterServer {4B75876C-2E2F-4397-915A-B9BD92E5145B}1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fe7fd41dc1885f52d80f926ca71760c7
SHA173d69097914f45ad6c0b2d97c3e23587bfbbd15c
SHA2564a220413e30e4d47e82583fea0aaa4935b258bfa06eb6f0db42bb78622c53974
SHA512c8593f3b59dbcbc4788f57517d4fd61669ed8a44cdf69cf45a69400d1cc3ebfd3c93055d077618a6de4d75cbb743bdbb008ddb73d9e1061d2238719a4f5d1b43
-
MD5
a7297781b5aecf4513d5a7a866e6281a
SHA1a2c2d1365a122bd28b23426db3807ca712bc354a
SHA25696d5aaa8342c344fdae21fe8fc414bed055f075435129e9e81d77667be7bb946
SHA51209b297ecf0dbc561d3e8b249ce3bfacb1a17000e507caf116778656b665262a8144a2190f844c087f7e4ce357f656888c5e6867650739ebcd51b91330a6248d2
-
MD5
be6439d9ceb8b19a8b4a2343a7936118
SHA185d5955240434cc8fed1fd433c7085f4efa33134
SHA256f524fe9e250c6a0159ebbad3ab06b13be1d0cbd544e21997f81b9d3ec195e6ab
SHA51225530b160f00691ff00e0264a4cdc84b2285afb8d614d7b6acb21f9203a8a3dc724549cd5ec239d74145b0607227c7c1d7e8cc24fa88dd190f3e0932f84bc5ac
-
MD5
be6439d9ceb8b19a8b4a2343a7936118
SHA185d5955240434cc8fed1fd433c7085f4efa33134
SHA256f524fe9e250c6a0159ebbad3ab06b13be1d0cbd544e21997f81b9d3ec195e6ab
SHA51225530b160f00691ff00e0264a4cdc84b2285afb8d614d7b6acb21f9203a8a3dc724549cd5ec239d74145b0607227c7c1d7e8cc24fa88dd190f3e0932f84bc5ac
-
MD5
be6439d9ceb8b19a8b4a2343a7936118
SHA185d5955240434cc8fed1fd433c7085f4efa33134
SHA256f524fe9e250c6a0159ebbad3ab06b13be1d0cbd544e21997f81b9d3ec195e6ab
SHA51225530b160f00691ff00e0264a4cdc84b2285afb8d614d7b6acb21f9203a8a3dc724549cd5ec239d74145b0607227c7c1d7e8cc24fa88dd190f3e0932f84bc5ac
-
MD5
be6439d9ceb8b19a8b4a2343a7936118
SHA185d5955240434cc8fed1fd433c7085f4efa33134
SHA256f524fe9e250c6a0159ebbad3ab06b13be1d0cbd544e21997f81b9d3ec195e6ab
SHA51225530b160f00691ff00e0264a4cdc84b2285afb8d614d7b6acb21f9203a8a3dc724549cd5ec239d74145b0607227c7c1d7e8cc24fa88dd190f3e0932f84bc5ac
-
-
Filesize
16.9MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
43.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
31.0MB
-
Filesize
64KB
-
Filesize
64KB
-
-
Filesize
92KB
-
-
Filesize
92KB
-
Filesize
308KB
-
-
Filesize
308KB
