Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3874s -
max time network
3881s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
31-10-2021 09:03
General
-
Target
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll
-
Size
172KB
-
MD5
a3d0c939bd3ecb8d11bd06c2bd15f45e
-
SHA1
b7fcdacc3507ed2f84752068fb0039c600003536
-
SHA256
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c
-
SHA512
40a6bf12a8aedf563ae762249b8d5c44c39a1002ec581f07f1ff0f5b91dd6dfe6badadd71ae15efa608e129e5b3389390bf62d40dca9fddca2e04bd37e045f52
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 3 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll,DllRegisterServer {3D966DB7-3A12-47F8-A946-86754A29F1D1}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll,DllRegisterServer {3D966DB7-3A12-47F8-A946-86754A29F1D1}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\qCzma0yRw3[1]MD5
4f55b5243ca60c52c40c48efc429e9c6
SHA1f7a44b86a69c05a67ec3ee8802e9e7dbeef7eae3
SHA256b819014abf96bc6584f9c8cc553886bc1c3b3acaa84e6e192085eec99fabd95f
SHA512a4158a9e09bc3fcddddae9a75afb4d6a49b06fd448dae36daeb0344d83f8db2cbaaf47e39bb4f1d30b0e15eae4c2d1753b1a82712f69f7c13d664a0bb17663c8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNAKBOQY\geoip[1].txtMD5
2a42fadf693cc02ba332e2ebb94b1787
SHA19c85f092df98dba884aa206d20882b818450c79b
SHA256c7ecbb6bd38c2c4cb9462e5f831b7557b6b07160a10ccd3e167ccbf2a2ec4690
SHA512a031b9e999632d3b0c89203df35786379180ba6d07ace26b947569caf97a8e4951db3e16f36696e998329fa069b8316b3f78d3781195058ae1c7ec3dfc2c73de
-
memory/360-119-0x000002209CEC0000-0x000002209CFEC000-memory.dmpFilesize
1.2MB
-
memory/3136-118-0x0000000002860000-0x000000000298C000-memory.dmpFilesize
1.2MB
-
memory/3176-121-0x00007FF622FB5EC0-mapping.dmp
-
memory/3176-120-0x00007FF622F90000-0x00007FF622FDC000-memory.dmpFilesize
304KB
-
memory/3176-122-0x00007FF622F90000-0x00007FF622FDC000-memory.dmpFilesize
304KB
-
memory/3268-125-0x000001EA95290000-0x000001EA953BC000-memory.dmpFilesize
1.2MB