Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

SharedFiles.dll

windows7_x64

10

SharedFiles.dll

windows10_x64

10

Analysis

  • max time kernel
    1752s
  • max time network
    1755s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    25-10-2021 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.lnk

  • Size

    1KB

  • MD5

    4d8af5ba95aa23f7162b7bbf8622d801

  • SHA1

    d5b8c1a219686be5b75e58c560609023b491d9aa

  • SHA256

    e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162

  • SHA512

    f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3040
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4324
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3988
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        2⤵
          PID:576
      • C:\Windows\system32\rundll32.exe
        rundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",BasicScore
        1⤵
          PID:1548

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3988-115-0x0000000000000000-mapping.dmp
          Download
        • memory/3988-116-0x0000000180001000-0x000000018002E000-memory.dmp
          Filesize

          180KB

          Download