Analysis

  • max time kernel
    402s
  • max time network
    405s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    30/11/2021, 02:47

General

  • Target

    run.bat

  • Size

    30B

  • MD5

    8f1bc18c9374d4e61900a4a131ac144a

  • SHA1

    9cca879179dfabfb8d1350d02bdb2f097e47cd42

  • SHA256

    78346a5edff4fa34210349541e7227c54358373586959c31b8e9cd490e5358f4

  • SHA512

    00cbe82b5336e6061f1ad402d5cce6db24acf6083e5cae8c4a39da32e680d170ce919eab2078af11697578792404e1216dcc90c5a59d3f56f9a79492b090295b

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 1 IoCs
  • Blocklisted process makes network request 27 IoCs
  • Tries to connect to .bazar domain 12 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\system32\rundll32.exe
      rundll32.exe grandpa.mpeg,gigi
      2⤵
      • Blocklisted process makes network request
      PID:492

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/492-119-0x000001D0FA4F0000-0x000001D0FA51E000-memory.dmp

          Filesize

          184KB