Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3889s -
max time network
3906s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
31-10-2021 09:03
General
-
Target
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
-
Size
172KB
-
MD5
6feafb5aa21e924e2a7dfc0cb87653e6
-
SHA1
eae7d011f43747b9a67b115733dc906dcbf976e7
-
SHA256
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479
-
SHA512
b21704bc4b06eed4d3468d144f90132af87af031dd9f6ad3ac771f75d9b02227eecbac79a53079955bbd9ea3a050d14a52af5829a50eaec745b7c617c16bc1a1
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 3 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll,DllRegisterServer {42B79409-7246-4C7C-9396-46C2A7E210D1}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll,DllRegisterServer {42B79409-7246-4C7C-9396-46C2A7E210D1}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\LNpcZiibJq[1]MD5
2751f2b426fc0897b587cb4d9b5c9761
SHA1ba59bdef1977427854b2698874f04ec47dcff9e1
SHA256f68b79119ebfae039fc2586db3028f1bb8034399ce5f151b84f7e74375fe27b4
SHA512a66aecde67390ef9ae46e12e8cb70a0d4579fd4c856f0d6cf4f82de13a425aa18dd064d9f70daacdcfaa45eaaddde37462270b7252b07cc6fc6f07e13587fd13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNAKBOQY\geoip[1].txtMD5
2a42fadf693cc02ba332e2ebb94b1787
SHA19c85f092df98dba884aa206d20882b818450c79b
SHA256c7ecbb6bd38c2c4cb9462e5f831b7557b6b07160a10ccd3e167ccbf2a2ec4690
SHA512a031b9e999632d3b0c89203df35786379180ba6d07ace26b947569caf97a8e4951db3e16f36696e998329fa069b8316b3f78d3781195058ae1c7ec3dfc2c73de
-
memory/1500-120-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmpFilesize
304KB
-
memory/1500-121-0x00007FF731C05EC0-mapping.dmp
-
memory/1500-122-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmpFilesize
304KB
-
memory/1548-118-0x0000000001F00000-0x000000000202C000-memory.dmpFilesize
1.2MB
-
memory/2692-125-0x0000017DF9720000-0x0000017DF984C000-memory.dmpFilesize
1.2MB
-
memory/4384-119-0x000002C17BD90000-0x000002C17BEBC000-memory.dmpFilesize
1.2MB