Analysis
-
max time kernel
1708s -
max time network
1762s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
25-10-2021 17:39
General
-
Target
SharedFiles.dll
-
Size
601KB
-
MD5
adf5dc4ac48443f7042237921620a740
-
SHA1
492528054a7de48cfab7ca982bfd7a5459b3e062
-
SHA256
b60a22be0a21e0a4c52a0fe0fecc2b55205297e1ddafd2364f75b46b8deedb74
-
SHA512
ae629b9181b773a00d6ac74dc2b262fe87995c8f5ae58ae3c3a7b2d7784b99dc382ef41fa02ff35bbdfea76aac638fa7a43b6fc00ea6fdc5b66a1bcca60568ba
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Bazar/Team9 Loader payload 1 IoCs
-
Blocklisted process makes network request 2 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll,#11⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",#11⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4092-115-0x0000000180001000-0x000000018002E000-memory.dmpFilesize
180KB