bazarbackdoor | 365c4a15a704d7a6244a34ef94bc2aa845ae8435ab4ff4bdac7da55e76f75cf6

General

Target

require 010.04.2021.doc
Size

75KB
MD5

6969e17d53d20ffd5dfd76d4955e5cc9
SHA1

da3b0bd9b89c264d0b6520658a1b0e9b851bd2d9
SHA256

365c4a15a704d7a6244a34ef94bc2aa845ae8435ab4ff4bdac7da55e76f75cf6
SHA512

8acb4fbce39b9c9b35e41d2efb4ff05641d9f14b3ec2a90163bbe3a7c33eca8fa7574b53aede7c55e19dd75ab623469b116157afc79ef80d6c1bf8892a212448

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

mshta.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4036	392	mshta.exe	WINWORD.EXE

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3760-303-0x00007FF76D9C0000-0x00007FF76DA0B000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/3760-304-0x00007FF76D9E4AB0-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/3760-305-0x00007FF76D9C0000-0x00007FF76DA0B000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3936-298-0x0000000000EF0000-0x0000000000F08000-memory.dmp	BazarLoaderVar6
behavioral2/memory/1688-300-0x0000018E085F0000-0x0000018E08608000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

mshta.exe

flow pid process

6 4036 mshta.exe
Downloads MZ/PE file
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exeregsvr32.exerundll32.exe

pid process

864 regsvr32.exe
3936 regsvr32.exe
1688 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3936 set thread context of 3760 3936 regsvr32.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
6	4036	mshta.exe

pid	process
864	regsvr32.exe
3936	regsvr32.exe
1688	rundll32.exe

description	pid	process	target process
PID 3936 set thread context of 3760	3936	regsvr32.exe	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

392 WINWORD.EXE
392 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exe

pid process

3936 regsvr32.exe
3936 regsvr32.exe
3936 regsvr32.exe
3936 regsvr32.exe
3936 regsvr32.exe
3936 regsvr32.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE
392 WINWORD.EXE

pid	process
392	WINWORD.EXE
392	WINWORD.EXE

pid	process
3936	regsvr32.exe
3936	regsvr32.exe
3936	regsvr32.exe
3936	regsvr32.exe
3936	regsvr32.exe
3936	regsvr32.exe

pid	process
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE
392	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEmshta.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 392 wrote to memory of 4036	392	WINWORD.EXE	mshta.exe
PID 392 wrote to memory of 4036	392	WINWORD.EXE	mshta.exe
PID 392 wrote to memory of 4036	392	WINWORD.EXE	mshta.exe
PID 4036 wrote to memory of 864	4036	mshta.exe	regsvr32.exe
PID 4036 wrote to memory of 864	4036	mshta.exe	regsvr32.exe
PID 4036 wrote to memory of 864	4036	mshta.exe	regsvr32.exe
PID 864 wrote to memory of 3936	864	regsvr32.exe	regsvr32.exe
PID 864 wrote to memory of 3936	864	regsvr32.exe	regsvr32.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe
PID 3936 wrote to memory of 3760	3936	regsvr32.exe	svchost.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\require 010.04.2021.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\cleanEarthExcel.....hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" c:\users\public\easyMicrosoftHop.jpg
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\system32\regsvr32.exe
      c:\users\public\easyMicrosoftHop.jpg
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe -k UnistackSvcGroup
        5⤵
        
        PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe c:\users\public\easyMicrosoftHop.jpg,DllRegisterServer {A9107511-5E85-45B8-9C85-9E059A12E9A4}
1⤵
- Loads dropped DLL
PID:1688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cleanEarthExcel.....hta

MD5
d332518f2d331453d0dfa6044454acd6

SHA1
f5cc27a33a0ec2f092b9d9d645c01b30f8260438

SHA256
751930783e9376b73abf4573f972fc8670873c398ae9d361f7ede25f87470fd8

SHA512
9058907e2d47076ecb8cc9cfe1d48b99db365acd22fe13b11d09849f8390a617416b27716983d81b3bac51cc08256824e66cff1b15e1d166b7bbe09e686a6a85

Download Submit
\??\c:\users\public\easyMicrosoftHop.jpg

MD5
a5a8f30d7f8ec029d9b901900d5edc2c

SHA1
e69c88a026d76c3db0caacd4607eb491e16966fd

SHA256
a612b75b69c51cb1e982549fa815a442c6319319109b7d2722247b3dbf116f79

SHA512
ad2ea8f8715c2a1198e40ad36c13cd0c0a0012fff406b3bcd5e41a518d682cf695b886bffedf1aa95c344ab539362a70086156f6305c5c117b8da0197072e5b6

Download Submit
\Users\Public\easyMicrosoftHop.jpg

MD5
a5a8f30d7f8ec029d9b901900d5edc2c

SHA1
e69c88a026d76c3db0caacd4607eb491e16966fd

SHA256
a612b75b69c51cb1e982549fa815a442c6319319109b7d2722247b3dbf116f79

SHA512
ad2ea8f8715c2a1198e40ad36c13cd0c0a0012fff406b3bcd5e41a518d682cf695b886bffedf1aa95c344ab539362a70086156f6305c5c117b8da0197072e5b6

Download Submit
\Users\Public\easyMicrosoftHop.jpg

MD5
a5a8f30d7f8ec029d9b901900d5edc2c

SHA1
e69c88a026d76c3db0caacd4607eb491e16966fd

SHA256
a612b75b69c51cb1e982549fa815a442c6319319109b7d2722247b3dbf116f79

SHA512
ad2ea8f8715c2a1198e40ad36c13cd0c0a0012fff406b3bcd5e41a518d682cf695b886bffedf1aa95c344ab539362a70086156f6305c5c117b8da0197072e5b6

Download Submit
\Users\Public\easyMicrosoftHop.jpg

MD5
a5a8f30d7f8ec029d9b901900d5edc2c

SHA1
e69c88a026d76c3db0caacd4607eb491e16966fd

SHA256
a612b75b69c51cb1e982549fa815a442c6319319109b7d2722247b3dbf116f79

SHA512
ad2ea8f8715c2a1198e40ad36c13cd0c0a0012fff406b3bcd5e41a518d682cf695b886bffedf1aa95c344ab539362a70086156f6305c5c117b8da0197072e5b6

Download Submit
memory/392-118-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp

Filesize
64KB

Download
memory/392-123-0x00007FFBA7730000-0x00007FFBA881E000-memory.dmp

Filesize
16.9MB

Download
memory/392-124-0x00007FFBA5830000-0x00007FFBA7725000-memory.dmp

Filesize
31.0MB

Download
memory/392-120-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp

Filesize
64KB

Download
memory/392-119-0x00007FFBAD610000-0x00007FFBB0133000-memory.dmp

Filesize
43.1MB

Download
memory/392-115-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp

Filesize
64KB

Download
memory/392-117-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp

Filesize
64KB

Download
memory/392-116-0x00007FFB8C970000-0x00007FFB8C980000-memory.dmp

Filesize
64KB

Download
memory/864-288-0x0000000000000000-mapping.dmp

Download
memory/1688-300-0x0000018E085F0000-0x0000018E08608000-memory.dmp

Filesize
96KB

Download
memory/3760-303-0x00007FF76D9C0000-0x00007FF76DA0B000-memory.dmp

Filesize
300KB

Download
memory/3760-304-0x00007FF76D9E4AB0-mapping.dmp

Download
memory/3760-305-0x00007FF76D9C0000-0x00007FF76DA0B000-memory.dmp

Filesize
300KB

Download
memory/3936-296-0x0000000000000000-mapping.dmp

Download
memory/3936-298-0x0000000000EF0000-0x0000000000F08000-memory.dmp

Filesize
96KB

Download
memory/4036-261-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads