Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

SharedFiles.dll

windows7_x64

10

SharedFiles.dll

windows10_x64

10

Analysis

  • max time kernel
    1800s
  • max time network
    1800s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-10-2021 17:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SharedFiles.dll

  • Size

    601KB

  • MD5

    adf5dc4ac48443f7042237921620a740

  • SHA1

    492528054a7de48cfab7ca982bfd7a5459b3e062

  • SHA256

    b60a22be0a21e0a4c52a0fe0fecc2b55205297e1ddafd2364f75b46b8deedb74

  • SHA512

    ae629b9181b773a00d6ac74dc2b262fe87995c8f5ae58ae3c3a7b2d7784b99dc382ef41fa02ff35bbdfea76aac638fa7a43b6fc00ea6fdc5b66a1bcca60568ba

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1300
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll,#1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:944
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        2⤵
          PID:852
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          2⤵
            PID:1060
        • C:\Windows\system32\rundll32.exe
          rundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",#1
          1⤵
            PID:1208

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
            MD5

            01d5c864e4185d3eb77d71e9976f8813

            SHA1

            e160d3691f26a2b37115965c3c718f022029f57b

            SHA256

            2d82a405ee8379347b855b5a6e2bc0ba637b05701a934b28d53afe7c4451e813

            SHA512

            09a09f647dfb09d302e579df7e0bbe766993fb0a7a59b60c238cafc67bbd6a9e9f37a65630a14715175cd5a495eeda409946deedc208b4e98f1620bfae1db3dd

            Download Submit
          • memory/852-57-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/944-55-0x0000000001C90000-0x0000000001CB7000-memory.dmp
            Filesize

            156KB

            Download
          • memory/944-56-0x0000000180001000-0x000000018002E000-memory.dmp
            Filesize

            180KB

            Download