Analysis Overview
SHA256
078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611
Threat Level: Known bad
The file 078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-12-03 10:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-12-03 10:34
Reported
2021-12-03 10:45
Platform
win10-en-20211104
Max time kernel
456s
Max time network
586s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2656 set thread context of 2688 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\system32\svchost.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll,DllRegisterServer {8F20DCBB-5732-436B-AE4C-A970F0E635AB}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | microsoft.com | udp |
| SG | 104.215.148.63:443 | microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 23.55.97.181:443 | www.microsoft.com | tcp |
| US | 162.33.179.216:443 | 162.33.179.216 | tcp |
| US | 8.8.8.8:53 | time.windows.com | udp |
| NL | 20.101.57.9:123 | time.windows.com | udp |
| US | 162.33.177.216:443 | 162.33.177.216 | tcp |
| US | 162.33.177.216:443 | 162.33.177.216 | tcp |
| US | 162.33.177.216:443 | 162.33.177.216 | tcp |
| US | 8.8.8.8:53 | amazon.com | udp |
| US | 176.32.103.205:443 | amazon.com | tcp |
| US | 8.8.8.8:53 | www.amazon.com | udp |
| NL | 54.192.85.139:443 | www.amazon.com | tcp |
| US | 162.33.177.216:443 | 162.33.177.216 | tcp |
| US | 162.33.177.216:443 | 162.33.177.216 | tcp |
| US | 162.33.177.216:443 | 162.33.177.216 | tcp |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 98.137.11.163:443 | yahoo.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| IE | 87.248.100.216:443 | www.yahoo.com | tcp |
Files
memory/2656-119-0x00000002F77D1000-0x00000002F77EE000-memory.dmp
memory/2656-118-0x0000000000000000-mapping.dmp
memory/2688-121-0x00007FF6E51E0000-0x00007FF6E5250000-memory.dmp
memory/2688-122-0x00007FF6E521EFE8-mapping.dmp
memory/2688-123-0x00007FF6E51E0000-0x00007FF6E5250000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 0521badbce0ec94d18ec7c9ee65bd588 |
| SHA1 | 546593c8b82ccff91663772e64599c597e79517b |
| SHA256 | cd231ecaa2ea38ede4b6a6eefbe02095466ba4e16d9ac2ba3e42203563688a2b |
| SHA512 | 159b5a1e81be7da2ce5d71cf1e6fa25ac420bd694b90d6d0dd5b8c3ffe22777d97444c6eeb905662165078f1eee0c72471658162387d8235f88056fad78d8b7a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | acaeda60c79c6bcac925eeb3653f45e0 |
| SHA1 | 2aaae490bcdaccc6172240ff1697753b37ac5578 |
| SHA256 | 6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658 |
| SHA512 | feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900 |