Overview

overview

10

Static

static

8

dictate.01...21.doc

windows7_x64

10

dictate.01...21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dictate.010.22.2021.doc

  • Size

    34KB

  • Sample

    211022-qw1mcscehn

  • MD5

    bf0ddf189d1334e11275e04ddc576bde

  • SHA1

    21f303963b50a4129a513b68debe23225c6b9dc1

  • SHA256

    87c48d3ffddbc8284f5b037b94b150b40dcc27cd27c3a2d7d8a2ddb63dc562e1

  • SHA512

    3fed6367d0c17504eaf3d817a35001428ab2ab0db3a8c7698024781ddae3922a844406c848fcc558ab5854b85903eb0c42713983f485db9c69061ae85d275a81

Score
10/10
bazarloaderdropperloadermacro

Malware Config

Targets

    • Target

      dictate.010.22.2021.doc

    • Size

      34KB

    • MD5

      bf0ddf189d1334e11275e04ddc576bde

    • SHA1

      21f303963b50a4129a513b68debe23225c6b9dc1

    • SHA256

      87c48d3ffddbc8284f5b037b94b150b40dcc27cd27c3a2d7d8a2ddb63dc562e1

    • SHA512

      3fed6367d0c17504eaf3d817a35001428ab2ab0db3a8c7698024781ddae3922a844406c848fcc558ab5854b85903eb0c42713983f485db9c69061ae85d275a81

    Score
    10/10
    bazarloaderdropperloader

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks