Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    03/12/2021, 12:13

General

  • Target

    078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll

  • Size

    429KB

  • MD5

    3d2c80e6849edf4c6bea0e83fc086534

  • SHA1

    cf233e96f1d4b54720de1fa425ab30bbea6c4278

  • SHA256

    078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611

  • SHA512

    a2c218a63cab2a98220ae1da44a1e9fceb7918ddb586112b31f772794e5fe4e2dbcda5557cae2191ae63cc536c637cca784a829a906ada93478ef510f29689f2

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\system32\regsvr32.exe
      regsvr32 /s C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll
      2⤵
        PID:2736
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\078968cfc9af97a102a362ad87cb30e8d3d33d28d0dd7c97fc31e85ff3950611.dll,DllRegisterServer {B5267F6E-8D1E-4E4A-935A-C7F94BD3F3A2}
      1⤵
        PID:4064

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2736-119-0x00000002F77D1000-0x00000002F77EE000-memory.dmp

              Filesize

              116KB