Overview

overview

10

Static

static

1.dll

windows7_x64

10

1.dll

windows10_x64

10

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

Analysis

  • max time kernel
    1770s
  • max time network
    1815s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    08-10-2021 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.dll

  • Size

    518KB

  • MD5

    c0a88d8ea1c610384bc18bfa12407038

  • SHA1

    0a3d5e68878afbe4fa9a154c005c9337bdf83faa

  • SHA256

    e425d1aebf1de8798b6ce3e55a3767b47fc6678d6d3886dcb48932fd69474de7

  • SHA512

    437c3416f8f11afd0ad4368fa8cc2e03ea9d99c718011afcf11c6ff2cc1c2f3156a050bae7d283e70483200cac576dea893b4878f17b2410c8ac8afe25f17685

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1196
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1240
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:1268
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          2⤵
            PID:920
        • C:\Windows\system32\rundll32.exe
          rundll32 "C:\Users\Admin\AppData\Local\Temp\1.dll",#1
          1⤵
            PID:1532

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            MD5

            ab5c36d10261c173c5896f3478cdc6b7

            SHA1

            87ac53810ad125663519e944bc87ded3979cbee4

            SHA256

            f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

            SHA512

            e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            4cefe7dd6b7ddbac1a61020553df8e4d

            SHA1

            862558efee586d719372b2dd8faf74d8db54436d

            SHA256

            74ce595299d5cf134dffddc19c84e4701eeee32c62c81302c2300117dc7aa49a

            SHA512

            062e029249706e836158fbfd8d775f5bf9c38c0f6f65249257f8992d751a976d96e8393337995f29dbef6e2ecb568b983509b21f19a8d9b8b41440e190b75449

            Download Submit
          • memory/1240-60-0x0000000000190000-0x00000000001BA000-memory.dmp
            Filesize

            168KB

            Download
          • memory/1268-61-0x000007FEFC391000-0x000007FEFC393000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1532-62-0x0000000001C60000-0x0000000001C8A000-memory.dmp
            Filesize

            168KB

            Download