Analysis Overview
SHA256
bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a
Threat Level: Known bad
The file bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-12-02 12:07
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2021-12-02 12:07
Reported
2021-12-02 12:10
Platform
win10-en-20211014
Max time kernel
152s
Max time network
164s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll,DllRegisterServer {DD3DAEF9-1B7B-42D8-B492-55FF0701037C}
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| NL | 52.109.88.44:443 | tcp | |
| US | 8.8.8.8:53 | microsoft.com | udp |
| SG | 104.215.148.63:443 | microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | sv.symcb.com | udp |
| US | 72.21.91.29:80 | sv.symcb.com | tcp |
| US | 8.8.8.8:53 | s.symcb.com | udp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 162.33.178.131:443 | tcp | |
| US | 72.21.91.29:80 | s.symcb.com | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 8.8.8.8:53 | bing.com | udp |
| US | 13.107.21.200:443 | bing.com | tcp |
| US | 8.8.8.8:53 | www.bing.com | udp |
| US | 131.253.33.200:443 | www.bing.com | tcp |
Files
memory/3492-118-0x0000000000E70000-0x0000000000E72000-memory.dmp
memory/3492-117-0x0000000000E70000-0x0000000000E72000-memory.dmp
memory/3492-119-0x0000000000E50000-0x0000000000E67000-memory.dmp
memory/908-121-0x0000026A1E210000-0x0000026A1E212000-memory.dmp
memory/908-120-0x0000026A1E210000-0x0000026A1E212000-memory.dmp
memory/908-122-0x0000026A1E1F0000-0x0000026A1E207000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-02 12:07
Reported
2021-12-02 12:10
Platform
win7-en-20211104
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\System32\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 560 wrote to memory of 1492 | N/A | C:\Windows\System32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 560 wrote to memory of 1492 | N/A | C:\Windows\System32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 560 wrote to memory of 1492 | N/A | C:\Windows\System32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll,DllRegisterServer {1ACB10D1-5CA9-43B8-BE0B-5D186CD5CAC1}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 560 -s 92
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| SG | 104.215.148.63:443 | microsoft.com | tcp |
| SG | 104.215.148.63:443 | microsoft.com | tcp |
| US | 162.33.178.131:443 | tcp | |
| US | 162.33.178.131:443 | tcp | |
| US | 8.8.8.8:53 | amazon.com | udp |
| US | 54.239.28.85:443 | amazon.com | tcp |
| US | 8.8.8.8:53 | www.amazon.com | udp |
| NL | 104.80.229.194:443 | www.amazon.com | tcp |
Files
memory/1592-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp
memory/1592-56-0x00000000002D0000-0x00000000002E7000-memory.dmp
memory/1492-57-0x0000000000000000-mapping.dmp
memory/1492-59-0x0000000001D60000-0x0000000001D61000-memory.dmp