Overview

overview

10

Static

static

029b714502...39.dll

windows11_x64

10

061dfb6a25...52.dll

windows11_x64

10

06d55f75d7...d2.dll

windows11_x64

10

24401ac43b...65.dll

windows11_x64

8

260e2d5769...40.dll

windows11_x64

10

26cd036960...18.dll

windows11_x64

10

2a0a88a2e5...4a.dll

windows11_x64

10

2f33217d51...94.dll

windows11_x64

10

336cdd146b...da.dll

windows11_x64

10

417c1828d9...73.dll

windows11_x64

10

4d3095c796...ee.dll

windows11_x64

10

54e526fe05...4c.dll

windows11_x64

10

6402b33d72...3b.dll

windows11_x64

10

64c044cb3e...db.dll

windows11_x64

10

671f477c30...4e.dll

windows11_x64

10

67785724b6...ce.dll

windows11_x64

10

6c6934613a...fb.dll

windows11_x64

10

6f63742c25...fd.dll

windows11_x64

10

813a9b03c6...48.dll

windows11_x64

10

839ac59a78...e3.dll

windows11_x64

10

85d0b72fe8...39.dll

windows11_x64

10

a34cb4049e...c4.dll

windows11_x64

1

a55c19c552...60.dll

windows11_x64

1

a98e988f03...48.dll

windows11_x64

10

acc31f97c3...27.dll

windows11_x64

10

b194eec1e5...c7.dll

windows11_x64

10

bac73f9cce...00.dll

windows11_x64

10

c5d2f0da18...0c.dll

windows11_x64

10

d559ee0a26...7e.dll

windows11_x64

8

db5276c0d5...79.dll

windows11_x64

10

e5efde9740...15.dll

windows11_x64

10

fe028e6f99...1c.dll

windows11_x64

10

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    01-11-2021 12:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll

  • Size

    172KB

  • MD5

    f943853cddc15b59823962b28f08b809

  • SHA1

    3e46675756a6f0dc722c620f3bc12610fe27c010

  • SHA256

    6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb

  • SHA512

    1a524916b6af5b071e2d4e533fb302b062383c2edb941a7a6e3d9e92897b2e7f612aa444eeff8c4de6499421f3823d54efa9b375b22c0fe6d301ff1bcb632985

Score
10/10
bazarloaderdropperloaderpersistence

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 2 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 8 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
    1⤵
      PID:4084
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 1f6764066114f4f3d12b9af80fbe9dea wWbm9b2cJUS+6j6NQEP/6w.0.1.0.3.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:856
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll,DllRegisterServer {873C12B5-EBF7-4C75-830C-2856BD96A042}
      1⤵
        PID:2576
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
        1⤵
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
          2⤵
            PID:5048
        • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
          C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1592
        • C:\Windows\System32\sihclient.exe
          C:\Windows\System32\sihclient.exe /cv gnqahFohP0ekkzqJluxbkA.0.2
          1⤵
            PID:3168
          • C:\Windows\System32\WaaSMedicAgent.exe
            C:\Windows\System32\WaaSMedicAgent.exe 1f6764066114f4f3d12b9af80fbe9dea wWbm9b2cJUS+6j6NQEP/6w.0.1.0.3.0
            1⤵
            • Modifies data under HKEY_USERS
            PID:3992
          • C:\Windows\System32\WaaSMedicAgent.exe
            C:\Windows\System32\WaaSMedicAgent.exe 1f6764066114f4f3d12b9af80fbe9dea wWbm9b2cJUS+6j6NQEP/6w.0.1.0.3.0
            1⤵
            • Modifies data under HKEY_USERS
            PID:4252

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1792-148-0x000001EE85CA0000-0x000001EE85CB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1792-147-0x000001EE85C20000-0x000001EE85C30000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1792-149-0x000001EE883D0000-0x000001EE883D4000-memory.dmp

            Filesize

            16KB

            Download

          • memory/2576-150-0x00000257DC410000-0x00000257DC53C000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4084-146-0x0000000002970000-0x0000000002A9C000-memory.dmp

            Filesize

            1.2MB

            Download