Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

Analysis

  • max time kernel
    1192s
  • max time network
    1243s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    26-10-2021 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.lnk

  • Size

    1KB

  • MD5

    4d8af5ba95aa23f7162b7bbf8622d801

  • SHA1

    d5b8c1a219686be5b75e58c560609023b491d9aa

  • SHA256

    e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162

  • SHA512

    f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 14 IoCs
  • Tries to connect to .bazar domain 7 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" SharedFiles.dll,BasicScore
      2⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Blocklisted process makes network request
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1724
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1400
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        2⤵
          PID:1920
      • C:\Windows\system32\rundll32.exe
        rundll32 "C:\Users\Admin\AppData\Local\Temp\SharedFiles.dll",BasicScore
        1⤵
          PID:1512

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          MD5

          ab5c36d10261c173c5896f3478cdc6b7

          SHA1

          87ac53810ad125663519e944bc87ded3979cbee4

          SHA256

          f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

          SHA512

          e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          MD5

          8efb095d217335d1d078531fe0fd5137

          SHA1

          1185d4ac368152675ad2ab05049957a05cc1a2cc

          SHA256

          e4c592ee119b0a4cb92938486d9ac9ed017f23d71b3aa53b7ef5d1ed1d00d165

          SHA512

          ccae6168fe1e49571c9649cff8bfd9de07fd2b43da00d5916f4b8abe52acff3c423a28db4b33490eeb2b8d8865275233fac8b69c85ff6229f90485db8694f337

          Download Submit
        • memory/1112-53-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1724-54-0x0000000000000000-mapping.dmp
          Download
        • memory/1724-55-0x0000000000440000-0x0000000000467000-memory.dmp
          Filesize

          156KB

          Download
        • memory/1724-56-0x0000000180001000-0x000000018002E000-memory.dmp
          Filesize

          180KB

          Download