Analysis
-
max time kernel
1192s -
max time network
1243s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 15:06
Static task
static1
Behavioral task
behavioral1
Sample
Documents.lnk
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Documents.lnk
Resource
win10-en-20211014
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
4d8af5ba95aa23f7162b7bbf8622d801
-
SHA1
d5b8c1a219686be5b75e58c560609023b491d9aa
-
SHA256
e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
-
SHA512
f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1724 created 1400 1724 rundll32.exe Explorer.EXE -
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1724-56-0x0000000180001000-0x000000018002E000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exeflow pid process 4 1724 rundll32.exe 5 1724 rundll32.exe 6 1724 rundll32.exe 7 1724 rundll32.exe 8 1724 rundll32.exe 9 1724 rundll32.exe 11 1724 rundll32.exe 12 1724 rundll32.exe 13 1724 rundll32.exe 14 1724 rundll32.exe 15 1724 rundll32.exe 16 1724 rundll32.exe 17 1724 rundll32.exe 19 1724 rundll32.exe -
Tries to connect to .bazar domain 7 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 15 whitestorm9p.bazar 16 aqsouhyw.bazar 50 reddew28c.bazar 51 bluehail.bazar 52 whitestorm9p.bazar 13 reddew28c.bazar 14 bluehail.bazar -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rundll32.exedescription pid process target process PID 1724 set thread context of 1920 1724 rundll32.exe chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
rundll32.exepid process 1724 rundll32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 1112 wrote to memory of 1724 1112 cmd.exe rundll32.exe PID 1112 wrote to memory of 1724 1112 cmd.exe rundll32.exe PID 1112 wrote to memory of 1724 1112 cmd.exe rundll32.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe PID 1724 wrote to memory of 1920 1724 rundll32.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
-
C:\Windows\system32\rundll32.exerundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",BasicScore1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
ab5c36d10261c173c5896f3478cdc6b7
SHA187ac53810ad125663519e944bc87ded3979cbee4
SHA256f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9
SHA512e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
8efb095d217335d1d078531fe0fd5137
SHA11185d4ac368152675ad2ab05049957a05cc1a2cc
SHA256e4c592ee119b0a4cb92938486d9ac9ed017f23d71b3aa53b7ef5d1ed1d00d165
SHA512ccae6168fe1e49571c9649cff8bfd9de07fd2b43da00d5916f4b8abe52acff3c423a28db4b33490eeb2b8d8865275233fac8b69c85ff6229f90485db8694f337
-
memory/1112-53-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmpFilesize
8KB
-
memory/1724-54-0x0000000000000000-mapping.dmp
-
memory/1724-55-0x0000000000440000-0x0000000000467000-memory.dmpFilesize
156KB
-
memory/1724-56-0x0000000180001000-0x000000018002E000-memory.dmpFilesize
180KB