Malware Analysis Report

2025-06-16 05:30

Sample ID 211203-mmag2abbb4
Target 078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll
SHA256 078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611

Threat Level: Known bad

The file 078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-12-03 10:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-12-03 10:34

Reported

2021-12-03 10:45

Platform

win10-en-20211104

Max time kernel

456s

Max time network

586s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2656 set thread context of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2616 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2616 wrote to memory of 2656 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe
PID 2656 wrote to memory of 2688 N/A C:\Windows\system32\regsvr32.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll,DllRegisterServer {8F20DCBB-5732-436B-AE4C-A970F0E635AB}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
SG 104.215.148.63:443 microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
BE 23.55.97.181:443 www.microsoft.com tcp
US 162.33.179.216:443 162.33.179.216 tcp
US 8.8.8.8:53 time.windows.com udp
NL 20.101.57.9:123 time.windows.com udp
US 162.33.177.216:443 162.33.177.216 tcp
US 162.33.177.216:443 162.33.177.216 tcp
US 162.33.177.216:443 162.33.177.216 tcp
US 8.8.8.8:53 amazon.com udp
US 176.32.103.205:443 amazon.com tcp
US 8.8.8.8:53 www.amazon.com udp
NL 54.192.85.139:443 www.amazon.com tcp
US 162.33.177.216:443 162.33.177.216 tcp
US 162.33.177.216:443 162.33.177.216 tcp
US 162.33.177.216:443 162.33.177.216 tcp
US 8.8.8.8:53 yahoo.com udp
US 98.137.11.163:443 yahoo.com tcp
US 8.8.8.8:53 www.yahoo.com udp
IE 87.248.100.216:443 www.yahoo.com tcp

Files

memory/2656-119-0x00000002F77D1000-0x00000002F77EE000-memory.dmp

memory/2656-118-0x0000000000000000-mapping.dmp

memory/2688-121-0x00007FF6E51E0000-0x00007FF6E5250000-memory.dmp

memory/2688-122-0x00007FF6E521EFE8-mapping.dmp

memory/2688-123-0x00007FF6E51E0000-0x00007FF6E5250000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 0521badbce0ec94d18ec7c9ee65bd588
SHA1 546593c8b82ccff91663772e64599c597e79517b
SHA256 cd231ecaa2ea38ede4b6a6eefbe02095466ba4e16d9ac2ba3e42203563688a2b
SHA512 159b5a1e81be7da2ce5d71cf1e6fa25ac420bd694b90d6d0dd5b8c3ffe22777d97444c6eeb905662165078f1eee0c72471658162387d8235f88056fad78d8b7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

MD5 acaeda60c79c6bcac925eeb3653f45e0
SHA1 2aaae490bcdaccc6172240ff1697753b37ac5578
SHA256 6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658
SHA512 feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900