Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
30/11/2021, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
data.dll
Resource
win7-en-20211014
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
data.dll
Resource
win10-en-20211014
0 signatures
0 seconds
General
-
Target
data.dll
-
Size
429KB
-
MD5
3d2c80e6849edf4c6bea0e83fc086534
-
SHA1
cf233e96f1d4b54720de1fa425ab30bbea6c4278
-
SHA256
078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611
-
SHA512
a2c218a63cab2a98220ae1da44a1e9fceb7918ddb586112b31f772794e5fe4e2dbcda5557cae2191ae63cc536c637cca784a829a906ada93478ef510f29689f2
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/2724-116-0x00000002F77D1000-0x00000002F77EE000-memory.dmp BazarLoaderVar6 -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2724 2704 regsvr32.exe 69 PID 2704 wrote to memory of 2724 2704 regsvr32.exe 69
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\data.dll2⤵PID:2724
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\data.dll,DllRegisterServer {C56AC8DB-4742-4122-BBAC-CC43C05A9354}1⤵PID:3612