Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
15-10-2021 18:09
General
-
Target
6bf2a52b5755de865d691045806936f9.dll
-
Size
353KB
-
MD5
6bf2a52b5755de865d691045806936f9
-
SHA1
70c164d08608478ba36e1479f0277dffc4fd951f
-
SHA256
5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e
-
SHA512
b7a3c199e2ae2904907726b831ba00222c734e69079574aa6ddbf023bbe5cb922a7cbd0130f3557b67ccc624264fb516824e1087fde4fbcce3681b66c16782bf
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6bf2a52b5755de865d691045806936f9.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2a52b5755de865d691045806936f9.dll,DllRegisterServer {9612463D-E44A-43E0-B9DC-81C04F80E835}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1892-115-0x0000000345021000-0x0000000345048000-memory.dmpFilesize
156KB
-
memory/3396-117-0x00007FF7FE190000-0x00007FF7FE1DB000-memory.dmpFilesize
300KB
-
memory/3396-118-0x00007FF7FE1B4730-mapping.dmp
-
memory/3396-119-0x00007FF7FE190000-0x00007FF7FE1DB000-memory.dmpFilesize
300KB