bazarbackdoor | f964cb1615386f5fcf67fe30dfd43c403a0614e21108522b99c7c0abda4270e5

General

Target

decree_010.04.2021.doc
Size

76KB
MD5

dc7c830fca5fa6c17aa39736748ae71e
SHA1

b44ee6ebeafa18f7bd08ffaea7f048d9d7f10b6d
SHA256

f964cb1615386f5fcf67fe30dfd43c403a0614e21108522b99c7c0abda4270e5
SHA512

fb523982adc540b6d27c47a0e8f026f1a30b79cbe116f1b492c2cfd5ae5151554d9fddefb1b2529a52fc16f616361c5494183f5def182a7b9628461599b217b9

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2020	1652	mshta.exe	WINWORD.EXE

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1656-79-0x00000000FF7F0000-0x00000000FF83B000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/1656-80-0x00000000FF814AB0-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/1656-81-0x00000000FF7F0000-0x00000000FF83B000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1004-73-0x0000000000120000-0x0000000000138000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1300-75-0x0000000000100000-0x0000000000118000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

5 2020 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exerundll32.exe

pid process

1636 regsvr32.exe
1004 regsvr32.exe
1300 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1004 set thread context of 1656 1004 regsvr32.exe svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
5	2020	mshta.exe

pid	process
1636	regsvr32.exe
1004	regsvr32.exe
1300	rundll32.exe

description	pid	process	target process
PID 1004 set thread context of 1656	1004	regsvr32.exe	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1652 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exe

pid process

1004 regsvr32.exe
1004 regsvr32.exe
1004 regsvr32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

1652 WINWORD.EXE
1652 WINWORD.EXE

pid	process
1652	WINWORD.EXE

pid	process
1004	regsvr32.exe
1004	regsvr32.exe
1004	regsvr32.exe

pid	process
1652	WINWORD.EXE
1652	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEmshta.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	mshta.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	mshta.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	mshta.exe
PID 1652 wrote to memory of 2020	1652	WINWORD.EXE	mshta.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 2020 wrote to memory of 1636	2020	mshta.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1636 wrote to memory of 1004	1636	regsvr32.exe	regsvr32.exe
PID 1652 wrote to memory of 1468	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 1468	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 1468	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 1468	1652	WINWORD.EXE	splwow64.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe
PID 1004 wrote to memory of 1656	1004	regsvr32.exe	svchost.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\decree_010.04.2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\cleanWord.....hta"
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" c:\users\public\jumpWord.jpg
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\regsvr32.exe
      c:\users\public\jumpWord.jpg
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k UnistackSvcGroup
        5⤵
        
        PID:1656
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\users\public\jumpWord.jpg,DllRegisterServer {594FB433-5D3F-4F40-BBD7-0A98AAE6C7E2}
1⤵
- Loads dropped DLL
PID:1300

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
5c3aaa094eae4da58a0f310214bb6899

SHA1
1370a9ef91ed47993776ad09c6c4f99011131e2c

SHA256
9f49d41d33c55d08c69e0daf4c8af8f7aa3cd5d15926095e862b632e551d9f56

SHA512
aa644fc509e29799ced66d1105af5ffbf6d4ebaa5bb998d73a20af13b561f02e37e88f0ee04f93f39c6779c7acc31f54de2c580b99f9e8b52ad9fd39cdea0b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanWord.....hta

MD5
0e6a549db2d0b98995ee3ff87537c380

SHA1
d6d78b18526be9254eca930b737e93df346829dc

SHA256
d3a5b47de0828cf21c9508db5c7b353792f414dffae8a94b9fe2daace786ccd0

SHA512
630059b9376374170045f8adc921392b0b13719ba03606d6bd5933698c7d8410550ee38a966a7c4ae1081ce1174e800c1e7421950754de8733cd20d41a1a6c56

Download Submit
\??\c:\users\public\jumpWord.jpg

MD5
a8d5db1f29689635dcc1f707ff47b158

SHA1
f2a4f3d74ca395c3a87ada58e78eedd518d76692

SHA256
0b0cc5ce91000a9ec6913d68292a9c2f870b6e83deb0c69353f5ea1a694703f5

SHA512
8367b5b7a3a9d3fb50d3e6a4c77b803777470da731ffef0c4cc69786db6e6f2a3612e35644e4d0e126e63286d811abe6b229c6b454a93f2276025c0f10bd16ca

Download Submit
\Users\Public\jumpWord.jpg

MD5
a8d5db1f29689635dcc1f707ff47b158

SHA1
f2a4f3d74ca395c3a87ada58e78eedd518d76692

SHA256
0b0cc5ce91000a9ec6913d68292a9c2f870b6e83deb0c69353f5ea1a694703f5

SHA512
8367b5b7a3a9d3fb50d3e6a4c77b803777470da731ffef0c4cc69786db6e6f2a3612e35644e4d0e126e63286d811abe6b229c6b454a93f2276025c0f10bd16ca

Download Submit
\Users\Public\jumpWord.jpg

MD5
a8d5db1f29689635dcc1f707ff47b158

SHA1
f2a4f3d74ca395c3a87ada58e78eedd518d76692

SHA256
0b0cc5ce91000a9ec6913d68292a9c2f870b6e83deb0c69353f5ea1a694703f5

SHA512
8367b5b7a3a9d3fb50d3e6a4c77b803777470da731ffef0c4cc69786db6e6f2a3612e35644e4d0e126e63286d811abe6b229c6b454a93f2276025c0f10bd16ca

Download Submit
\Users\Public\jumpWord.jpg

MD5
a8d5db1f29689635dcc1f707ff47b158

SHA1
f2a4f3d74ca395c3a87ada58e78eedd518d76692

SHA256
0b0cc5ce91000a9ec6913d68292a9c2f870b6e83deb0c69353f5ea1a694703f5

SHA512
8367b5b7a3a9d3fb50d3e6a4c77b803777470da731ffef0c4cc69786db6e6f2a3612e35644e4d0e126e63286d811abe6b229c6b454a93f2276025c0f10bd16ca

Download Submit
memory/1004-71-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

Filesize
8KB

Download
memory/1004-70-0x0000000000000000-mapping.dmp

Download
memory/1004-73-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/1300-75-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download
memory/1468-77-0x0000000000000000-mapping.dmp

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/1652-60-0x00000000729D1000-0x00000000729D4000-memory.dmp

Filesize
12KB

Download
memory/1652-61-0x0000000070451000-0x0000000070453000-memory.dmp

Filesize
8KB

Download
memory/1652-63-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1652-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1656-80-0x00000000FF814AB0-mapping.dmp

Download
memory/1656-81-0x00000000FF7F0000-0x00000000FF83B000-memory.dmp

Filesize
300KB

Download
memory/1656-79-0x00000000FF7F0000-0x00000000FF83B000-memory.dmp

Filesize
300KB

Download
memory/2020-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads