Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

SharedFiles.dll

windows7_x64

10

SharedFiles.dll

windows10_x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1790s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-10-2021 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.lnk

  • Size

    1KB

  • MD5

    4d8af5ba95aa23f7162b7bbf8622d801

  • SHA1

    d5b8c1a219686be5b75e58c560609023b491d9aa

  • SHA256

    e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162

  • SHA512

    f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1204
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1484
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        2⤵
          PID:1748
      • C:\Windows\system32\rundll32.exe
        rundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",BasicScore
        1⤵
          PID:1376

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          4ea6b0ca63e2a5fda40355eae2a033bb

          SHA1

          fa39fa40b3fedd89684ff904b88ac6649cf496a6

          SHA256

          493188d935ab576218d951b538590e17b9526841c6af37fefe347631b5a05921

          SHA512

          92d22aa146292c1c75b3429905f6c04e0f7c23360d3a5b82ac587a7935ddc85582b24de8be752e6b2b2cbdb0e17421a9f03f4aa03d8dc2444c3eed2e0dbc39d9

          Download Submit
        • memory/1484-56-0x0000000000000000-mapping.dmp
          Download
        • memory/1484-57-0x0000000001AE0000-0x0000000001B07000-memory.dmp
          Filesize

          156KB

          Download
        • memory/1484-58-0x0000000180001000-0x000000018002E000-memory.dmp
          Filesize

          180KB

          Download
        • memory/1720-55-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp
          Filesize

          8KB

          Download