Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
26-10-2021 06:05
Static task
static1
Behavioral task
behavioral1
Sample
Documents.lnk
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
Documents.lnk
Resource
win10-en-20210920
Behavioral task
behavioral3
Sample
SharedFiles.dll
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
SharedFiles.dll
Resource
win10-en-20211014
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
4d8af5ba95aa23f7162b7bbf8622d801
-
SHA1
d5b8c1a219686be5b75e58c560609023b491d9aa
-
SHA256
e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
-
SHA512
f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1000-58-0x0000000180001000-0x000000018002E000-memory.dmp BazarLoaderVar5 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid process target process PID 644 wrote to memory of 1000 644 cmd.exe rundll32.exe PID 644 wrote to memory of 1000 644 cmd.exe rundll32.exe PID 644 wrote to memory of 1000 644 cmd.exe rundll32.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-55-0x000007FEFBB41000-0x000007FEFBB43000-memory.dmpFilesize
8KB
-
memory/1000-56-0x0000000000000000-mapping.dmp
-
memory/1000-57-0x00000000003D0000-0x00000000003F7000-memory.dmpFilesize
156KB
-
memory/1000-58-0x0000000180001000-0x000000018002E000-memory.dmpFilesize
180KB