bazarloader | c2873cb1d6682cfef6594a70ea3ff63597f3e99333d85a546b712a07170d5c7e

Analysis

max time kernel
155s
max time network
155s
platform
windows7_x64
resource
win7-en-20211014
submitted
26-10-2021 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documents.lnk
Size

1KB
MD5

4d8af5ba95aa23f7162b7bbf8622d801
SHA1

d5b8c1a219686be5b75e58c560609023b491d9aa
SHA256

e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
SHA512

f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1000-58-0x0000000180001000-0x000000018002E000-memory.dmp	BazarLoaderVar5

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 644 wrote to memory of 1000	644	cmd.exe	rundll32.exe
PID 644 wrote to memory of 1000	644	cmd.exe	rundll32.exe
PID 644 wrote to memory of 1000	644	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore
2⤵
PID:1000

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-55-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmp

Filesize
8KB

Download
memory/1000-56-0x0000000000000000-mapping.dmp

Download
memory/1000-57-0x00000000003D0000-0x00000000003F7000-memory.dmp

Filesize
156KB

Download
memory/1000-58-0x0000000180001000-0x000000018002E000-memory.dmp

Filesize
180KB

Download