bazarbackdoor | 365c4a15a704d7a6244a34ef94bc2aa845ae8435ab4ff4bdac7da55e76f75cf6

General

Target

require 010.04.2021.doc
Size

75KB
MD5

6969e17d53d20ffd5dfd76d4955e5cc9
SHA1

da3b0bd9b89c264d0b6520658a1b0e9b851bd2d9
SHA256

365c4a15a704d7a6244a34ef94bc2aa845ae8435ab4ff4bdac7da55e76f75cf6
SHA512

8acb4fbce39b9c9b35e41d2efb4ff05641d9f14b3ec2a90163bbe3a7c33eca8fa7574b53aede7c55e19dd75ab623469b116157afc79ef80d6c1bf8892a212448

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1788	1904	mshta.exe	WINWORD.EXE

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1280-76-0x00000000FF2B0000-0x00000000FF2FB000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/1280-77-0x00000000FF2D4AB0-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/1280-78-0x00000000FF2B0000-0x00000000FF2FB000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1856-73-0x0000000000120000-0x0000000000138000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1992-75-0x0000000000100000-0x0000000000118000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

6 1788 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exerundll32.exe

pid process

688 regsvr32.exe
1856 regsvr32.exe
1992 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1856 set thread context of 1280 1856 regsvr32.exe svchost.exe
Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

flow	pid	process
6	1788	mshta.exe

pid	process
688	regsvr32.exe
1856	regsvr32.exe
1992	rundll32.exe

description	pid	process	target process
PID 1856 set thread context of 1280	1856	regsvr32.exe	svchost.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEmshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1904 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exe

pid process

1856 regsvr32.exe
1856 regsvr32.exe
1856 regsvr32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXE

pid process

1904 WINWORD.EXE
1904 WINWORD.EXE
1904 WINWORD.EXE

pid	process
1904	WINWORD.EXE

pid	process
1856	regsvr32.exe
1856	regsvr32.exe
1856	regsvr32.exe

pid	process
1904	WINWORD.EXE
1904	WINWORD.EXE
1904	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEmshta.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 1904 wrote to memory of 1788	1904	WINWORD.EXE	mshta.exe
PID 1904 wrote to memory of 1788	1904	WINWORD.EXE	mshta.exe
PID 1904 wrote to memory of 1788	1904	WINWORD.EXE	mshta.exe
PID 1904 wrote to memory of 1788	1904	WINWORD.EXE	mshta.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 1788 wrote to memory of 688	1788	mshta.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 688 wrote to memory of 1856	688	regsvr32.exe	regsvr32.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe
PID 1856 wrote to memory of 1280	1856	regsvr32.exe	svchost.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\require 010.04.2021.doc"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\cleanEarthExcel.....hta"
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" c:\users\public\easyMicrosoftHop.jpg
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\regsvr32.exe
c:\users\public\easyMicrosoftHop.jpg
4⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
5⤵
PID:1280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\users\public\easyMicrosoftHop.jpg,DllRegisterServer {B9C50292-BEB8-4EA7-A449-675F9A8F4F68}
1⤵
- Loads dropped DLL
PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
ab5c36d10261c173c5896f3478cdc6b7

SHA1
87ac53810ad125663519e944bc87ded3979cbee4

SHA256
f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

SHA512
e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5819c7a5d5b228e3596a3686cf9c51dc

SHA1
cbf8d49646d48e629875b4c0ae156e514176b32a

SHA256
93b8d2f16f2116c6c16475a522c96204a57189f7904e24d9e0c44c10efcbbfad

SHA512
e58726bbef07e03f8628b343cf6acab5dee1437ab3ad0cb22debf856eea5f61044208ba5a1c9a10b96f45b6a1ccd8e5354e7e35e38a028bc4be8ff77c748a916

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanEarthExcel.....hta
MD5
d332518f2d331453d0dfa6044454acd6

SHA1
f5cc27a33a0ec2f092b9d9d645c01b30f8260438

SHA256
751930783e9376b73abf4573f972fc8670873c398ae9d361f7ede25f87470fd8

SHA512
9058907e2d47076ecb8cc9cfe1d48b99db365acd22fe13b11d09849f8390a617416b27716983d81b3bac51cc08256824e66cff1b15e1d166b7bbe09e686a6a85

Download Submit
\??\c:\users\public\easyMicrosoftHop.jpg
MD5
48769565683695f9aa3aac3a044f006c

SHA1
74a503ba71a5f150c7ad06effd436840845c8f2b

SHA256
fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

SHA512
1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

Download Submit
\Users\Public\easyMicrosoftHop.jpg
MD5
48769565683695f9aa3aac3a044f006c

SHA1
74a503ba71a5f150c7ad06effd436840845c8f2b

SHA256
fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

SHA512
1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

Download Submit
\Users\Public\easyMicrosoftHop.jpg
MD5
48769565683695f9aa3aac3a044f006c

SHA1
74a503ba71a5f150c7ad06effd436840845c8f2b

SHA256
fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

SHA512
1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

Download Submit
\Users\Public\easyMicrosoftHop.jpg
MD5
48769565683695f9aa3aac3a044f006c

SHA1
74a503ba71a5f150c7ad06effd436840845c8f2b

SHA256
fc9df56e44cf9e1bd400f9f3916dab235adaddc03a29ed39b4f4e9e9fb897d97

SHA512
1202f7401ab48fb38a8736a82e0ff5fdc7bb7023a4e2cc7fa47fed9b32b0ab0a518fbe75dd43ffdcf9dd315d3d7caf9ef028725e03c680deacf2c2eeacba8d2f

Download Submit
memory/688-66-0x0000000000000000-mapping.dmp

Download
memory/1280-76-0x00000000FF2B0000-0x00000000FF2FB000-memory.dmp

Filesize
300KB

Download
memory/1280-77-0x00000000FF2D4AB0-mapping.dmp

Download
memory/1280-78-0x00000000FF2B0000-0x00000000FF2FB000-memory.dmp

Filesize
300KB

Download
memory/1788-64-0x0000000000000000-mapping.dmp

Download
memory/1856-71-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp

Filesize
8KB

Download
memory/1856-70-0x0000000000000000-mapping.dmp

Download
memory/1856-73-0x0000000000120000-0x0000000000138000-memory.dmp

Filesize
96KB

Download
memory/1904-63-0x0000000075AF1000-0x0000000075AF3000-memory.dmp

Filesize
8KB

Download
memory/1904-60-0x0000000072651000-0x0000000072654000-memory.dmp

Filesize
12KB

Download
memory/1904-62-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1904-61-0x00000000700D1000-0x00000000700D3000-memory.dmp

Filesize
8KB

Download
memory/1992-75-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads