Analysis

  • max time kernel
    126s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    30/11/2021, 20:25

General

  • Target

    data.dll

  • Size

    429KB

  • MD5

    3d2c80e6849edf4c6bea0e83fc086534

  • SHA1

    cf233e96f1d4b54720de1fa425ab30bbea6c4278

  • SHA256

    078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611

  • SHA512

    a2c218a63cab2a98220ae1da44a1e9fceb7918ddb586112b31f772794e5fe4e2dbcda5557cae2191ae63cc536c637cca784a829a906ada93478ef510f29689f2

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll
      2⤵
        PID:1336
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\data.dll,DllRegisterServer {B5FA5DB3-71B0-4D06-9F2C-9F686B1DD40D}
      1⤵
        PID:812

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1116-55-0x000007FEFBB91000-0x000007FEFBB93000-memory.dmp

              Filesize

              8KB

            • memory/1336-58-0x00000002F77D1000-0x00000002F77EE000-memory.dmp

              Filesize

              116KB