Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
02/12/2021, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll
Resource
win7-en-20211104
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll
Resource
win10-en-20211014
0 signatures
0 seconds
General
-
Target
bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll
-
Size
393KB
-
MD5
eb2338c71a210835401162d1e1ed9174
-
SHA1
7451b3eeb0efad68d4c4347267369847b169bf9c
-
SHA256
bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a
-
SHA512
325925ce022a08fd0df481eb0b9427188743c02edd4739ad935a9b8b6dd1e0453b02f37453c09cdde6ee8fdf70c1219c32228e341cdf9b4a2130b9bfc0ee9ade
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/1592-56-0x00000000002D0000-0x00000000002E7000-memory.dmp BazarLoaderVar6 -
Program crash 1 IoCs
pid pid_target Process procid_target 1492 560 WerFault.exe 28 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1492 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1492 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 560 wrote to memory of 1492 560 rundll32.exe 29 PID 560 wrote to memory of 1492 560 rundll32.exe 29 PID 560 wrote to memory of 1492 560 rundll32.exe 29
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll1⤵PID:1592
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll,DllRegisterServer {1ACB10D1-5CA9-43B8-BE0B-5D186CD5CAC1}1⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 560 -s 922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1492
-