bazarloader | f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
18/11/2021, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
Size

1.0MB
MD5

4f0ff6002a6883636aace79606463b35
SHA1

54b8a004d96418010e2721fbe8bb156464b7da0f
SHA256

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb
SHA512

5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

18.188.232.155

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 7 IoCs

resource	yara_rule
behavioral1/files/0x001600000000f5e9-60.dat	BazarLoaderVar1
behavioral1/files/0x001600000000f5e9-61.dat	BazarLoaderVar1
behavioral1/files/0x001600000000f5e9-62.dat	BazarLoaderVar1
behavioral1/files/0x001600000000f5e9-64.dat	BazarLoaderVar1
behavioral1/files/0x001600000000f5e9-67.dat	BazarLoaderVar1
behavioral1/files/0x001600000000f5e9-70.dat	BazarLoaderVar1
behavioral1/files/0x001600000000f5e9-68.dat	BazarLoaderVar1

Executes dropped EXE 2 IoCs

pid	Process
972	SMWBD08.exe
1664	SMWBD08.exe

Loads dropped DLL 4 IoCs

pid	Process
1428	cmd.exe
1428	cmd.exe
964	cmd.exe
964	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\FFMQN9YDJTU = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v BJOLJHRA /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SMWBD08.exe\\\" PVJR8\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SMWBD08.exe\" PVJR8"	SMWBD08.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
636	PING.EXE
1112	PING.EXE
824	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 588	592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	28
PID 592 wrote to memory of 588	592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	28
PID 592 wrote to memory of 588	592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	28
PID 588 wrote to memory of 636	588	cmd.exe	30
PID 588 wrote to memory of 636	588	cmd.exe	30
PID 588 wrote to memory of 636	588	cmd.exe	30
PID 588 wrote to memory of 2020	588	cmd.exe	31
PID 588 wrote to memory of 2020	588	cmd.exe	31
PID 588 wrote to memory of 2020	588	cmd.exe	31
PID 2020 wrote to memory of 1428	2020	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	32
PID 2020 wrote to memory of 1428	2020	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	32
PID 2020 wrote to memory of 1428	2020	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	32
PID 1428 wrote to memory of 1112	1428	cmd.exe	34
PID 1428 wrote to memory of 1112	1428	cmd.exe	34
PID 1428 wrote to memory of 1112	1428	cmd.exe	34
PID 1428 wrote to memory of 972	1428	cmd.exe	35
PID 1428 wrote to memory of 972	1428	cmd.exe	35
PID 1428 wrote to memory of 972	1428	cmd.exe	35
PID 972 wrote to memory of 964	972	SMWBD08.exe	36
PID 972 wrote to memory of 964	972	SMWBD08.exe	36
PID 972 wrote to memory of 964	972	SMWBD08.exe	36
PID 964 wrote to memory of 824	964	cmd.exe	38
PID 964 wrote to memory of 824	964	cmd.exe	38
PID 964 wrote to memory of 824	964	cmd.exe	38
PID 964 wrote to memory of 1664	964	cmd.exe	39
PID 964 wrote to memory of 1664	964	cmd.exe	39
PID 964 wrote to memory of 1664	964	cmd.exe	39

C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
"C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\system32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe SBF9WR3
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - Runs ping.exe
    PID:636
- - C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
    C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe SBF9WR3
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe ZYMR1U
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        Runs ping.exe
        
        PID:1112
    - - C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
        
        C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe ZYMR1U
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:972
      - C:\Windows\system32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe PVJR8
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        Runs ping.exe
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
        
        C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe PVJR8
        7⤵
        Executes dropped EXE
        
        PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads