Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3810s -
max time network
3824s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
31-10-2021 09:03
General
-
Target
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll
-
Size
172KB
-
MD5
7a70755b8388c0bc73c7cdc557150dca
-
SHA1
8ed83eeadcda38d92ab079a7b8483cbdb8cc3ac1
-
SHA256
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360
-
SHA512
a9347e82c9cb77be18841badf0fccece9a860a48fa17ad3ad410120cc6bd6fa585758c9071c4627d22b8a49eee615032cc4448cfb1860be87b3ea77311e5616f
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 3 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll,DllRegisterServer {B0B5A78B-43C7-4364-A2EC-974A10311EAC}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll,DllRegisterServer {B0B5A78B-43C7-4364-A2EC-974A10311EAC}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\yRjjXeBKtP[1]MD5
1cfff1bb6a8c9e33c89eb71bab632e40
SHA15163578f4a4a0d5c17dc8fadcbe806758974d638
SHA256817168832a2e409728cafbf935c46287457f5afb335a075de77de67290501ca0
SHA5128e4ca41625d62ee7904f8f15cef8dead476a3489596cce301dbc64dd876aa31ea7e0ee0be55aa8855df21ef9a8492e3c0337ee5601721aa7f0ce03def415b01d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNAKBOQY\geoip[1].txtMD5
2a42fadf693cc02ba332e2ebb94b1787
SHA19c85f092df98dba884aa206d20882b818450c79b
SHA256c7ecbb6bd38c2c4cb9462e5f831b7557b6b07160a10ccd3e167ccbf2a2ec4690
SHA512a031b9e999632d3b0c89203df35786379180ba6d07ace26b947569caf97a8e4951db3e16f36696e998329fa069b8316b3f78d3781195058ae1c7ec3dfc2c73de
-
memory/348-120-0x00007FF7496B0000-0x00007FF7496FC000-memory.dmpFilesize
304KB
-
memory/348-121-0x00007FF7496D5EC0-mapping.dmp
-
memory/348-122-0x00007FF7496B0000-0x00007FF7496FC000-memory.dmpFilesize
304KB
-
memory/1276-125-0x0000022F83EC0000-0x0000022F83FEC000-memory.dmpFilesize
1.2MB
-
memory/1916-119-0x00000200FEA50000-0x00000200FEB7C000-memory.dmpFilesize
1.2MB
-
memory/2800-118-0x00000000022E0000-0x000000000240C000-memory.dmpFilesize
1.2MB