bazarloader | f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

General

Target

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
Size

1.0MB
MD5

4f0ff6002a6883636aace79606463b35
SHA1

54b8a004d96418010e2721fbe8bb156464b7da0f
SHA256

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb
SHA512

5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

18.188.232.155

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

IZVA66D.exeIZVA66D.exe

pid process

592 IZVA66D.exe
2884 IZVA66D.exe

pid	process
592	IZVA66D.exe
2884	IZVA66D.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IZVA66D.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	IZVA66D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GNGCEO31QU = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OYKWU9Y6A /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IZVA66D.exe\\\" I3BV\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IZVA66D.exe\" I3BV"	IZVA66D.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1364 PING.EXE
3108 PING.EXE
3008 PING.EXE

pid	process
1364	PING.EXE
3108	PING.EXE
3008	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

pid	process
2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.execmd.exef18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.execmd.exeIZVA66D.execmd.exe

description	pid	process	target process
PID 2412 wrote to memory of 3736	2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 2412 wrote to memory of 3736	2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 3736 wrote to memory of 1364	3736	cmd.exe	PING.EXE
PID 3736 wrote to memory of 1364	3736	cmd.exe	PING.EXE
PID 3736 wrote to memory of 868	3736	cmd.exe	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
PID 3736 wrote to memory of 868	3736	cmd.exe	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
PID 868 wrote to memory of 2012	868	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 868 wrote to memory of 2012	868	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 2012 wrote to memory of 3108	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 3108	2012	cmd.exe	PING.EXE
PID 2012 wrote to memory of 592	2012	cmd.exe	IZVA66D.exe
PID 2012 wrote to memory of 592	2012	cmd.exe	IZVA66D.exe
PID 592 wrote to memory of 3432	592	IZVA66D.exe	cmd.exe
PID 592 wrote to memory of 3432	592	IZVA66D.exe	cmd.exe
PID 3432 wrote to memory of 3008	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 3008	3432	cmd.exe	PING.EXE
PID 3432 wrote to memory of 2884	3432	cmd.exe	IZVA66D.exe
PID 3432 wrote to memory of 2884	3432	cmd.exe	IZVA66D.exe

C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
"C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe WBH9MI
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - Runs ping.exe
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
    C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe WBH9MI
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe W4X7FLF
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        Runs ping.exe
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe
        
        C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe W4X7FLF
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe I3BV
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe
        
        C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe I3BV
        7⤵
        Executes dropped EXE
        
        PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe

MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe

MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe

MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
memory/592-123-0x0000000000000000-mapping.dmp

Download
memory/868-120-0x0000000000000000-mapping.dmp

Download
memory/1364-119-0x0000000000000000-mapping.dmp

Download
memory/2012-121-0x0000000000000000-mapping.dmp

Download
memory/2884-128-0x0000000000000000-mapping.dmp

Download
memory/3008-127-0x0000000000000000-mapping.dmp

Download
memory/3108-122-0x0000000000000000-mapping.dmp

Download
memory/3432-126-0x0000000000000000-mapping.dmp

Download
memory/3736-118-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads