Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

SharedFiles.dll

windows7_x64

10

SharedFiles.dll

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    302s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-10-2021 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.lnk

  • Size

    1KB

  • MD5

    4d8af5ba95aa23f7162b7bbf8622d801

  • SHA1

    d5b8c1a219686be5b75e58c560609023b491d9aa

  • SHA256

    e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162

  • SHA512

    f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Windows\system32\cmd.exe
        cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\System32\rundll32.exe
          "C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Blocklisted process makes network request
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:984
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        2⤵
          PID:588
      • C:\Windows\system32\rundll32.exe
        rundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",BasicScore
        1⤵
          PID:580

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          d87295ee6c7d51f3cd360a9f0f65666d

          SHA1

          195aa22ce180cce58db4ce7556e4de0c6a0c7296

          SHA256

          e306ec7a83845577b8cc60775a0773ac5c101806be1aca639b4349f71349185b

          SHA512

          6030680420dcc03b67720a088552115427ed82b6c796af3ad82b9c757285a31c7ca5f5e3f8275a1d9428ed339c288129b94a4adbd8dace5bd1b2c9c0da1523bb

          Download Submit
        • memory/836-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/984-56-0x0000000000000000-mapping.dmp
          Download
        • memory/984-57-0x00000000002B0000-0x00000000002D7000-memory.dmp
          Filesize

          156KB

          Download
        • memory/984-58-0x0000000180001000-0x000000018002E000-memory.dmp
          Filesize

          180KB

          Download