Analysis
-
max time kernel
265s -
max time network
229s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-10-2021 18:07
Static task
static1
Behavioral task
behavioral1
Sample
1.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v20210408
Behavioral task
behavioral3
Sample
Documents.lnk
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Documents.lnk
Resource
win10v20210408
General
-
Target
1.dll
-
Size
518KB
-
MD5
c0a88d8ea1c610384bc18bfa12407038
-
SHA1
0a3d5e68878afbe4fa9a154c005c9337bdf83faa
-
SHA256
e425d1aebf1de8798b6ce3e55a3767b47fc6678d6d3886dcb48932fd69474de7
-
SHA512
437c3416f8f11afd0ad4368fa8cc2e03ea9d99c718011afcf11c6ff2cc1c2f3156a050bae7d283e70483200cac576dea893b4878f17b2410c8ac8afe25f17685
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/664-114-0x000001A1D3EF0000-0x000001A1D3F1A000-memory.dmp BazarLoaderVar5 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2148 664 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe 2148 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2148 WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#11⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 664 -s 6042⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/664-114-0x000001A1D3EF0000-0x000001A1D3F1A000-memory.dmpFilesize
168KB