Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3826s -
max time network
3844s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
31-10-2021 09:03
General
-
Target
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
-
Size
172KB
-
MD5
f943853cddc15b59823962b28f08b809
-
SHA1
3e46675756a6f0dc722c620f3bc12610fe27c010
-
SHA256
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb
-
SHA512
1a524916b6af5b071e2d4e533fb302b062383c2edb941a7a6e3d9e92897b2e7f612aa444eeff8c4de6499421f3823d54efa9b375b22c0fe6d301ff1bcb632985
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 3 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll,DllRegisterServer {7E1BEB6D-F803-4A02-8AAD-6652C4AF37C6}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll,DllRegisterServer {7E1BEB6D-F803-4A02-8AAD-6652C4AF37C6}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OY8D4S7I\geoip[1].txtMD5
2a42fadf693cc02ba332e2ebb94b1787
SHA19c85f092df98dba884aa206d20882b818450c79b
SHA256c7ecbb6bd38c2c4cb9462e5f831b7557b6b07160a10ccd3e167ccbf2a2ec4690
SHA512a031b9e999632d3b0c89203df35786379180ba6d07ace26b947569caf97a8e4951db3e16f36696e998329fa069b8316b3f78d3781195058ae1c7ec3dfc2c73de
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\hgn30yJXt7[1]MD5
848d5f1ec31cf2cb44a4d37375358bd9
SHA16e4cfb6040e0c68eede8731c14e2dbe2c21d52da
SHA256175358fb7b625760d8c08b333c2a6686d0704bce909cee58f341e3dc4286f641
SHA512e49a40cba02648ead95c06c2ef6b8dd5a1c1643771cdeea3d8cca25cd38842617c2031de17cc1f179d0f1a92869b47da4d6d300f5fb7099e7d76131db93e18f0
-
memory/1092-120-0x00007FF71D950000-0x00007FF71D99C000-memory.dmpFilesize
304KB
-
memory/1092-121-0x00007FF71D975EC0-mapping.dmp
-
memory/1092-122-0x00007FF71D950000-0x00007FF71D99C000-memory.dmpFilesize
304KB
-
memory/1732-125-0x00000245F6F60000-0x00000245F708C000-memory.dmpFilesize
1.2MB
-
memory/1992-118-0x00000000027C0000-0x00000000028EC000-memory.dmpFilesize
1.2MB
-
memory/3628-119-0x000002C090ED0000-0x000002C090FFC000-memory.dmpFilesize
1.2MB