Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

SharedFiles.dll

windows7_x64

10

SharedFiles.dll

windows10_x64

10

Analysis

  • max time kernel
    300s
  • max time network
    300s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    25-10-2021 17:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SharedFiles.dll

  • Size

    601KB

  • MD5

    adf5dc4ac48443f7042237921620a740

  • SHA1

    492528054a7de48cfab7ca982bfd7a5459b3e062

  • SHA256

    b60a22be0a21e0a4c52a0fe0fecc2b55205297e1ddafd2364f75b46b8deedb74

  • SHA512

    ae629b9181b773a00d6ac74dc2b262fe87995c8f5ae58ae3c3a7b2d7784b99dc382ef41fa02ff35bbdfea76aac638fa7a43b6fc00ea6fdc5b66a1bcca60568ba

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1268
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll,#1
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:776
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        2⤵
          PID:1784
      • C:\Windows\system32\rundll32.exe
        rundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",#1
        1⤵
          PID:1364

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          80292f1e89994ca3b5a7ecf0f5f9838b

          SHA1

          f33973d04ced06a9fcca07080d9414e0e73adcc4

          SHA256

          8f1dbe82a379ed0512dae7e7e98560589288b132c4c9f96ac23c98e04ce023f6

          SHA512

          f7ee3cb9fa84787b958250ff647f5f8081321b0dc88072d6997074906836f2f6aa3b3ccb4a174a5578a2483978e53a1751f50ec806019bb6f2857c48605365e1

          Download Submit
        • memory/776-55-0x0000000000130000-0x0000000000157000-memory.dmp
          Filesize

          156KB

          Download
        • memory/776-56-0x0000000180001000-0x000000018002E000-memory.dmp
          Filesize

          180KB

          Download