Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
15-10-2021 22:22
Static task
static1
Behavioral task
behavioral1
Sample
1.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
1.dll
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
Documents.lnk
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
Documents.lnk
Resource
win10-en-20211014
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
db8f42a798dd65d9bd8398c3e2564f06
-
SHA1
7df618ca8e5e21faf19ece8c2470f62af8e4ea15
-
SHA256
59b77f3b8d2e7d72c61d522a2bcabbe0b47be3b73e1a4001cb763589a656134c
-
SHA512
3533442932c0a796de82668f334f264b6aac4f3552eef535caeda4bb7d4feeb7d1789c09424ac3de506a8438ab9d19713ce0272816c5d8b4dd8ae545bc862053
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral4/memory/1960-116-0x000001F2AC130000-0x000001F2AC15A000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 21 1960 rundll32.exe 24 1960 rundll32.exe 25 1960 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
cmd.exedescription pid process target process PID 1828 wrote to memory of 1960 1828 cmd.exe rundll32.exe PID 1828 wrote to memory of 1960 1828 cmd.exe rundll32.exe