Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3835s -
max time network
3849s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
31-10-2021 09:03
General
-
Target
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll
-
Size
172KB
-
MD5
2c55997f5febc79d8aec77991f178138
-
SHA1
9d6d02ba0d021b6cdbf1fb8f594ebab3214325da
-
SHA256
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894
-
SHA512
099ad760edaf05a1b180f451c48762627bfc374c8ed2e1ff8969d18787a366495b3576cf7f3724c932d52fa34897e4ee57b7824df9c11d6f6784ec310ee40820
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
-
Bazar/Team9 Loader payload 2 IoCs
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll,DllRegisterServer {4CE979D1-AD57-4315-B874-DA81845159B9}1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OY8D4S7I\geoip[1].txtMD5
2a42fadf693cc02ba332e2ebb94b1787
SHA19c85f092df98dba884aa206d20882b818450c79b
SHA256c7ecbb6bd38c2c4cb9462e5f831b7557b6b07160a10ccd3e167ccbf2a2ec4690
SHA512a031b9e999632d3b0c89203df35786379180ba6d07ace26b947569caf97a8e4951db3e16f36696e998329fa069b8316b3f78d3781195058ae1c7ec3dfc2c73de
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\ucNrA5Xb3Q[1]MD5
b8f526c1b86dce6296dce90f004902e6
SHA113632e7a4e9e5ecc7a951567fe12db9d1cb74c5c
SHA256da16f58262053dffd06e0980e5358e67ed3003255f4c05ee539ce24ed7d08f72
SHA5125905c4ff467e1ca8d88b4b265de9b7b23441b6fcecb458f49dd420055f41e03be068afc8f3b424cc253108081d99c85d629ed054aeb536d39f9843650f31cc3f
-
memory/1588-120-0x00007FF73E190000-0x00007FF73E1DC000-memory.dmpFilesize
304KB
-
memory/1588-121-0x00007FF73E1B5EC0-mapping.dmp
-
memory/1588-122-0x00007FF73E190000-0x00007FF73E1DC000-memory.dmpFilesize
304KB
-
memory/2512-118-0x0000000002C70000-0x0000000002D9C000-memory.dmpFilesize
1.2MB
-
memory/3380-119-0x0000019E55580000-0x0000019E556AC000-memory.dmpFilesize
1.2MB