Analysis

  • max time kernel
    397s
  • max time network
    406s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    30/11/2021, 02:47

General

  • Target

    run.bat

  • Size

    30B

  • MD5

    8f1bc18c9374d4e61900a4a131ac144a

  • SHA1

    9cca879179dfabfb8d1350d02bdb2f097e47cd42

  • SHA256

    78346a5edff4fa34210349541e7227c54358373586959c31b8e9cd490e5358f4

  • SHA512

    00cbe82b5336e6061f1ad402d5cce6db24acf6083e5cae8c4a39da32e680d170ce919eab2078af11697578792404e1216dcc90c5a59d3f56f9a79492b090295b

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 14 IoCs
  • Tries to connect to .bazar domain 3 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Windows\system32\rundll32.exe
      rundll32.exe grandpa.mpeg,gigi
      2⤵
      • Blocklisted process makes network request
      PID:524

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/524-56-0x00000000003B0000-0x00000000003DE000-memory.dmp

          Filesize

          184KB