bazarloader | 9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

max time kernel
148s
max time network
139s
platform
windows11_x64
resource
win11
submitted
01-11-2021 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
Size

172KB
MD5

f943853cddc15b59823962b28f08b809
SHA1

3e46675756a6f0dc722c620f3bc12610fe27c010
SHA256

6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb
SHA512

1a524916b6af5b071e2d4e533fb302b062383c2edb941a7a6e3d9e92897b2e7f612aa444eeff8c4de6499421f3823d54efa9b375b22c0fe6d301ff1bcb632985

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral17/memory/4084-146-0x0000000002970000-0x0000000002A9C000-memory.dmp	BazarLoaderVar6
behavioral17/memory/2576-150-0x00000257DC410000-0x00000257DC53C000-memory.dmp	BazarLoaderVar6

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeShutdownPrivilege	1792	svchost.exe
Token: SeCreatePagefilePrivilege	1792	svchost.exe
Token: SeShutdownPrivilege	1792	svchost.exe
Token: SeCreatePagefilePrivilege	1792	svchost.exe
Token: SeShutdownPrivilege	1792	svchost.exe
Token: SeCreatePagefilePrivilege	1792	svchost.exe
Token: SeShutdownPrivilege	2428	svchost.exe
Token: SeCreatePagefilePrivilege	2428	svchost.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe
Token: SeSecurityPrivilege	1592	TiWorker.exe
Token: SeBackupPrivilege	1592	TiWorker.exe
Token: SeRestorePrivilege	1592	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 2428 wrote to memory of 5048	2428	svchost.exe	MoUsoCoreWorker.exe
PID 2428 wrote to memory of 5048	2428	svchost.exe	MoUsoCoreWorker.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
1⤵
PID:4084

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 1f6764066114f4f3d12b9af80fbe9dea wWbm9b2cJUS+6j6NQEP/6w.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll,DllRegisterServer {873C12B5-EBF7-4C75-830C-2856BD96A042}
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
2⤵
PID:5048

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv gnqahFohP0ekkzqJluxbkA.0.2
1⤵
PID:3168

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 1f6764066114f4f3d12b9af80fbe9dea wWbm9b2cJUS+6j6NQEP/6w.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:3992

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 1f6764066114f4f3d12b9af80fbe9dea wWbm9b2cJUS+6j6NQEP/6w.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1792-148-0x000001EE85CA0000-0x000001EE85CB0000-memory.dmp

Filesize
64KB

Download
memory/1792-147-0x000001EE85C20000-0x000001EE85C30000-memory.dmp

Filesize
64KB

Download
memory/1792-149-0x000001EE883D0000-0x000001EE883D4000-memory.dmp

Filesize
16KB

Download
memory/2576-150-0x00000257DC410000-0x00000257DC53C000-memory.dmp

Filesize
1.2MB

Download
memory/4084-146-0x0000000002970000-0x0000000002A9C000-memory.dmp

Filesize
1.2MB

Download
memory/5048-151-0x0000000000000000-mapping.dmp

Download