Overview

overview

10

Static

static

8

question.010.21.doc

windows7_x64

10

question.010.21.doc

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 13:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    question.010.21.doc

  • Size

    34KB

  • MD5

    7a87ef713680cc71ba38945b305a9579

  • SHA1

    08f858b709bea8c5e16bdd026338f02cb7605c88

  • SHA256

    2a46ff6e614f60b3166614e9f7f94d0b001cda9b8a2b296e917b0b6aa54dba12

  • SHA512

    91473bf2ea429e17198ec0dad53cd8323e4d9b520cf63a57857e45fef7edad823b29a648fcd4f166460a6b1bd43ccbcfe9c2c677d1c97d1885a6108c92cdaba0

Score
10/10
bazarloaderdropperloadersuricata

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE BazaLoader Activity (GET)

    suricata: ET MALWARE BazaLoader Activity (GET)

    suricata
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1400
      • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\question.010.21.doc"
        2⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1524
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\users\public\seaRedSea.hta"
          3⤵
          • Process spawned unexpected child process
          • Blocklisted process makes network request
          • Modifies Internet Explorer settings
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\SysWOW64\regsvr32.exe
            "C:\Windows\System32\regsvr32.exe" c:\users\public\seaSeaLady.jpg
            4⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:908
            • C:\Windows\system32\regsvr32.exe
              c:\users\public\seaSeaLady.jpg
              5⤵
              • Suspicious use of NtCreateUserProcessOtherParentProcess
              • Loads dropped DLL
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:1160
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          3⤵
            PID:1868
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          2⤵
            PID:1320
          • C:\Windows\explorer.exe
            "C:\Windows\explorer.exe"
            2⤵
              PID:1552
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s "c:\users\public\seaSeaLady.jpg"
            1⤵
            • Loads dropped DLL
            PID:284

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
            MD5

            ab5c36d10261c173c5896f3478cdc6b7

            SHA1

            87ac53810ad125663519e944bc87ded3979cbee4

            SHA256

            f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

            SHA512

            e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            42738ad7feedbfe8d14cdc27065ec2e2

            SHA1

            c6afe927f3949af0d5d1eeae250f110f92e50ede

            SHA256

            5cad2714e4529fd56e7c21d803cb9d3125cba2b2c3adc0cc81a6708cbeadebf0

            SHA512

            76865f93303da634a2d48cd78389fa869b2722a2f2192c53d032f646132163105cc7ab92cc5952346b2b81be457aea44618c289d138c528f362aef4d396e651e

            Download Submit
          • C:\users\public\seaRedSea.hta
            MD5

            937fd4b981d32e8d76e28d924568fcee

            SHA1

            61d97a255a266e21dc326ad44e7c1d350eb0b91e

            SHA256

            c6218d2af935d5b2c97d9d0fb4b2c35aa24709e5704b51c8866ba1af44eb9342

            SHA512

            82646b237109cefa9d2ef6c5de1494052c0f80a7302e91311b96bf3032251932a55ef87c419cb530444c9ac0886a7309e59c840eb075bb5320ff59b28d85a0c2

            Download Submit
          • \??\c:\users\public\seaSeaLady.jpg
            MD5

            5ab9e8327a98e368ae62b1efad44e7f6

            SHA1

            f63028fa656404b2f9e04f427d124e2ec8824541

            SHA256

            1a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933

            SHA512

            e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c

            Download Submit
          • \Users\Public\seaSeaLady.jpg
            MD5

            5ab9e8327a98e368ae62b1efad44e7f6

            SHA1

            f63028fa656404b2f9e04f427d124e2ec8824541

            SHA256

            1a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933

            SHA512

            e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c

            Download Submit
          • \Users\Public\seaSeaLady.jpg
            MD5

            5ab9e8327a98e368ae62b1efad44e7f6

            SHA1

            f63028fa656404b2f9e04f427d124e2ec8824541

            SHA256

            1a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933

            SHA512

            e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c

            Download Submit
          • \Users\Public\seaSeaLady.jpg
            MD5

            5ab9e8327a98e368ae62b1efad44e7f6

            SHA1

            f63028fa656404b2f9e04f427d124e2ec8824541

            SHA256

            1a54a8bfa478e4bc3ab4bcfbe938df74eaaedc68b619b0dbf6044adc39dcd933

            SHA512

            e3f1413109558c3d44f7488735352ac5f5a2a1645d2db5ea617252ac7248811f1d5b6a915e6d34de76cee66f87910b5f8fa3b6a12a70e1bd117f5d2cb3fcc40c

            Download Submit
          • memory/284-82-0x0000000001FA0000-0x00000000021C6000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/896-64-0x0000000000000000-mapping.dmp
            Download
          • memory/908-68-0x0000000000000000-mapping.dmp
            Download
          • memory/1160-75-0x0000000001FE0000-0x0000000002206000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/1160-72-0x0000000000000000-mapping.dmp
            Download
          • memory/1524-59-0x00000000003E4000-0x00000000003E8000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1524-62-0x00000000003E4000-0x00000000003E8000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1524-60-0x00000000003E4000-0x00000000003E8000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1524-54-0x0000000072201000-0x0000000072204000-memory.dmp
            Filesize

            12KB

            Download
          • memory/1524-76-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1524-58-0x00000000003E4000-0x00000000003E8000-memory.dmp
            Filesize

            16KB

            Download
          • memory/1524-57-0x00000000751A1000-0x00000000751A3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1524-56-0x000000005FFF0000-0x0000000060000000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1524-55-0x000000006FC81000-0x000000006FC83000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1868-67-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1868-66-0x0000000000000000-mapping.dmp
            Download