bazarloader | 510a27e3550669e6eea0d1fb8520b75416ec3595d5208e1c505d60e36af7477d | Triage

Analysis

max time kernel
379s
max time network
1562s
platform
windows10_x64
resource
win10-en-20211014
submitted
22-10-2021 16:24

Sharing

Report Analysis Logs

General

Target

peju4.dll
Size

840KB
MD5

c86d7d276cc517c34ff430b49551a91c
SHA1

5338ba42e2251f579aa31e0e5ce4dd98ba476f68
SHA256

510a27e3550669e6eea0d1fb8520b75416ec3595d5208e1c505d60e36af7477d
SHA512

1097e57b42e32466e8d8b3d182d4643a9c92edbe0f741e051a9381e3b1e97317577f3c9e4ce0223f4542895f5b9ca358196fe0b817fd01ee46dbfb748fce8f4d

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2732-115-0x0000000180001000-0x0000000180034000-memory.dmp	BazarLoaderVar5

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2828 2732 WerFault.exe regsvr32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

WerFault.exe

pid	process
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 2828 WerFault.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\peju4.dll
1⤵
PID:2732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2732 -s 616
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2732-115-0x0000000180001000-0x0000000180034000-memory.dmp

Filesize
204KB

Download