Analysis Overview
SHA256
5a36930f80cbf9c391eaeace63f0c12d882e27e27f73cb98a1c957ece4365b3d
Threat Level: Known bad
The file package.zip was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Blocklisted process makes network request
Tries to connect to .bazar domain
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-11-30 02:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-11-30 02:47
Reported
2021-11-30 02:55
Platform
win7-en-20211014
Max time kernel
397s
Max time network
406s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | reddew28c.bazar | N/A | N/A |
| N/A | bluehail.bazar | N/A | N/A |
| N/A | whitestorm9p.bazar | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 752 wrote to memory of 524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 752 wrote to memory of 524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 752 wrote to memory of 524 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe grandpa.mpeg,gigi
Network
| Country | Destination | Domain | Proto |
| US | 162.33.178.147:443 | tcp | |
| US | 162.33.178.147:443 | tcp | |
| US | 45.61.136.128:443 | tcp | |
| US | 45.61.136.128:443 | tcp | |
| US | 162.33.179.53:443 | tcp | |
| US | 162.33.179.53:443 | tcp | |
| US | 162.33.177.88:443 | tcp | |
| US | 162.33.177.88:443 | tcp | |
| DE | 130.61.64.122:53 | reddew28c.bazar | udp |
| DE | 130.61.64.122:53 | bluehail.bazar | udp |
| DE | 130.61.64.122:53 | whitestorm9p.bazar | udp |
| US | 162.33.178.147:443 | tcp | |
| US | 162.33.178.147:443 | tcp | |
| US | 45.61.136.128:443 | tcp |
Files
memory/524-55-0x0000000000000000-mapping.dmp
memory/524-56-0x00000000003B0000-0x00000000003DE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-11-30 02:47
Reported
2021-11-30 02:55
Platform
win10-en-20211104
Max time kernel
402s
Max time network
405s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | reddew28c.bazar | N/A | N/A |
| N/A | bluehail.bazar | N/A | N/A |
| N/A | whitestorm9p.bazar | N/A | N/A |
| N/A | ysylxyvu.bazar | N/A | N/A |
| N/A | bluehail.bazar | N/A | N/A |
| N/A | reddew28c.bazar | N/A | N/A |
| N/A | bluehail.bazar | N/A | N/A |
| N/A | whitestorm9p.bazar | N/A | N/A |
| N/A | ikqoxyiz.bazar | N/A | N/A |
| N/A | yqudekpi.bazar | N/A | N/A |
| N/A | reddew28c.bazar | N/A | N/A |
| N/A | whitestorm9p.bazar | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1012 wrote to memory of 492 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1012 wrote to memory of 492 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe grandpa.mpeg,gigi
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.20:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |
| US | 162.33.178.147:443 | tcp | |
| US | 45.61.136.128:443 | tcp | |
| US | 162.33.179.53:443 | tcp | |
| US | 162.33.177.88:443 | tcp | |
| DE | 130.61.64.122:53 | reddew28c.bazar | udp |
| DE | 130.61.64.122:53 | bluehail.bazar | udp |
| DE | 130.61.64.122:53 | whitestorm9p.bazar | udp |
| US | 162.33.178.147:443 | tcp | |
| US | 45.61.136.128:443 | tcp | |
| US | 162.33.179.53:443 | tcp | |
| US | 162.33.177.88:443 | tcp | |
| DE | 130.61.64.122:53 | reddew28c.bazar | udp |
| DE | 130.61.64.122:53 | bluehail.bazar | udp |
| DE | 130.61.64.122:53 | whitestorm9p.bazar | udp |
| US | 162.33.178.147:443 | tcp | |
| US | 45.61.136.128:443 | tcp | |
| US | 162.33.179.53:443 | tcp | |
| US | 162.33.177.88:443 | tcp | |
| DE | 130.61.64.122:53 | reddew28c.bazar | udp |
| DE | 130.61.64.122:53 | bluehail.bazar | udp |
| DE | 130.61.64.122:53 | whitestorm9p.bazar | udp |
| DE | 130.61.64.122:53 | ikqoxyiz.bazar | udp |
| US | 162.33.177.194:443 | tcp | |
| DE | 130.61.64.122:53 | yqudekpi.bazar | udp |
| US | 162.33.177.194:443 | tcp | |
| DE | 130.61.64.122:53 | ysylxyvu.bazar | udp |
| US | 162.33.177.194:443 | tcp |
Files
memory/492-118-0x0000000000000000-mapping.dmp
memory/492-119-0x000001D0FA4F0000-0x000001D0FA51E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2021-11-30 02:47
Reported
2021-11-30 02:54
Platform
win7-en-20211014
Max time kernel
361s
Max time network
361s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\grandpa.mpeg.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2021-11-30 02:47
Reported
2021-11-30 02:54
Platform
win10-en-20211104
Max time kernel
120s
Max time network
362s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\grandpa.mpeg.dll,#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.109.76.32:443 | tcp | |
| US | 8.8.8.8:53 | time.windows.com | udp |
| US | 168.61.215.74:123 | time.windows.com | udp |