Malware Analysis Report

2025-06-16 05:30

Sample ID 211202-pac4habad7
Target bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll
SHA256 bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a

Threat Level: Known bad

The file bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-12-02 12:07

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2021-12-02 12:07

Reported

2021-12-02 12:10

Platform

win10-en-20211014

Max time kernel

152s

Max time network

164s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll,DllRegisterServer {DD3DAEF9-1B7B-42D8-B492-55FF0701037C}

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 52.109.88.44:443 tcp
US 8.8.8.8:53 microsoft.com udp
SG 104.215.148.63:443 microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:443 www.microsoft.com tcp
US 8.8.8.8:53 sv.symcb.com udp
US 72.21.91.29:80 sv.symcb.com tcp
US 8.8.8.8:53 s.symcb.com udp
US 72.21.91.29:80 s.symcb.com tcp
US 72.21.91.29:80 s.symcb.com tcp
US 72.21.91.29:80 s.symcb.com tcp
US 72.21.91.29:80 s.symcb.com tcp
US 162.33.178.131:443 tcp
US 72.21.91.29:80 s.symcb.com tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 8.8.8.8:53 bing.com udp
US 13.107.21.200:443 bing.com tcp
US 8.8.8.8:53 www.bing.com udp
US 131.253.33.200:443 www.bing.com tcp

Files

memory/3492-118-0x0000000000E70000-0x0000000000E72000-memory.dmp

memory/3492-117-0x0000000000E70000-0x0000000000E72000-memory.dmp

memory/3492-119-0x0000000000E50000-0x0000000000E67000-memory.dmp

memory/908-121-0x0000026A1E210000-0x0000026A1E212000-memory.dmp

memory/908-120-0x0000026A1E210000-0x0000026A1E212000-memory.dmp

memory/908-122-0x0000026A1E1F0000-0x0000026A1E207000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-02 12:07

Reported

2021-12-02 12:10

Platform

win7-en-20211104

Max time kernel

141s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\System32\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 560 wrote to memory of 1492 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 560 wrote to memory of 1492 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 560 wrote to memory of 1492 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\bb62610dd76178bbcf45eb21d8f644977c23d0391f5f3d89b406b2caca619d2a.dll,DllRegisterServer {1ACB10D1-5CA9-43B8-BE0B-5D186CD5CAC1}

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 560 -s 92

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
SG 104.215.148.63:443 microsoft.com tcp
SG 104.215.148.63:443 microsoft.com tcp
US 162.33.178.131:443 tcp
US 162.33.178.131:443 tcp
US 8.8.8.8:53 amazon.com udp
US 54.239.28.85:443 amazon.com tcp
US 8.8.8.8:53 www.amazon.com udp
NL 104.80.229.194:443 www.amazon.com tcp

Files

memory/1592-55-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

memory/1592-56-0x00000000002D0000-0x00000000002E7000-memory.dmp

memory/1492-57-0x0000000000000000-mapping.dmp

memory/1492-59-0x0000000001D60000-0x0000000001D61000-memory.dmp