Overview

overview

10

Static

static

8

rule_010.21.doc

windows7_x64

10

rule_010.21.doc

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rule_010.21.doc

  • Size

    33KB

  • Sample

    211022-tlhwcabgh5

  • MD5

    4b420bc3f81ce0f0313a1e4dda8c2b5f

  • SHA1

    5fa4c3a4b8809f57aaa0dcffa88d48711bc2389e

  • SHA256

    aa410115edee64b35a2dc46bb5f6243f3d351d3e8e3bb7e94142949f76e25893

  • SHA512

    3a1a8ceb057f937359df4dca286f5952c7f318a9b0b661804f4f4af2bfb18d886f1b8501bcc9baa7fcb061a8e9f24597d5232b5c970f91e1660a1c2f36176099

Score
10/10
bazarloaderdropperloadermacro

Malware Config

Targets

    • Target

      rule_010.21.doc

    • Size

      33KB

    • MD5

      4b420bc3f81ce0f0313a1e4dda8c2b5f

    • SHA1

      5fa4c3a4b8809f57aaa0dcffa88d48711bc2389e

    • SHA256

      aa410115edee64b35a2dc46bb5f6243f3d351d3e8e3bb7e94142949f76e25893

    • SHA512

      3a1a8ceb057f937359df4dca286f5952c7f318a9b0b661804f4f4af2bfb18d886f1b8501bcc9baa7fcb061a8e9f24597d5232b5c970f91e1660a1c2f36176099

    Score
    10/10
    bazarloaderdropperloader

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks