Analysis
-
max time kernel
1752s -
max time network
1755s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 17:39
Static task
static1
Behavioral task
behavioral1
Sample
Documents.lnk
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Documents.lnk
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
SharedFiles.dll
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
SharedFiles.dll
Resource
win10-en-20210920
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
4d8af5ba95aa23f7162b7bbf8622d801
-
SHA1
d5b8c1a219686be5b75e58c560609023b491d9aa
-
SHA256
e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
-
SHA512
f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3988 created 3040 3988 rundll32.exe Explorer.EXE -
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3988-116-0x0000000180001000-0x000000018002E000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 24 3988 rundll32.exe 25 3988 rundll32.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 766 etedwyed.bazar 871 iqekekom.bazar 901 aqtowyem.bazar 1011 vuibekyw.bazar 1022 izeduhem.bazar 284 aquheked.bazar 596 fuuhwyyw.bazar 836 tuuhwyom.bazar 857 lieluhem.bazar 1066 etsoidom.bazar 1094 tuacekem.bazar 306 owacidyw.bazar 448 ypudekyw.bazar 350 agewuhyw.bazar 1182 biidekom.bazar 1047 ufonidyw.bazar 1072 etsoidom.bazar 1143 futowyom.bazar 470 uccaeked.bazar 910 owomidom.bazar 1245 hucauhyw.bazar 86 agekidem.bazar 138 ehcaekem.bazar 707 vuywuhem.bazar 991 ypcawyom.bazar 1218 owudwyem.bazar 234 iqemekyw.bazar 241 iqemekyw.bazar 610 iqelwyed.bazar 620 iqelwyed.bazar 1007 vuibekyw.bazar 1168 aqomekyw.bazar 223 lionwyed.bazar 351 agewuhyw.bazar 601 aqacidom.bazar 898 aqtowyem.bazar 986 huwyidem.bazar 1119 liekwyyw.bazar 50 bluehail.bazar 538 ehonuhyw.bazar 345 agewuhyw.bazar 422 izywwyed.bazar 600 aqacidom.bazar 730 ypwyuhed.bazar 781 tyqeekem.bazar 1117 liekwyyw.bazar 112 ucwyuhyw.bazar 290 aquheked.bazar 1236 hucauhyw.bazar 870 iqekekom.bazar 1163 aqomekyw.bazar 114 ucwyuhyw.bazar 635 biekekyw.bazar 826 tysoidem.bazar 1293 yponidem.bazar 572 tusouhed.bazar 729 ypwyuhed.bazar 769 etedwyed.bazar 215 lionwyed.bazar 533 ehonuhyw.bazar 444 ypudekyw.bazar 787 tyqeekem.bazar 976 huwyidem.bazar 1239 hucauhyw.bazar -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 3988 set thread context of 576 3988 rundll32.exe chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3988 rundll32.exe 3988 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 4324 wrote to memory of 3988 4324 cmd.exe rundll32.exe PID 4324 wrote to memory of 3988 4324 cmd.exe rundll32.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe PID 3988 wrote to memory of 576 3988 rundll32.exe chrome.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",BasicScore1⤵