Analysis Overview
SHA256
487290690d5455b475497515474f45a5daf47ca8b2e8d64155f79f7fad0bb3a8
Threat Level: Known bad
The file 5101677762478080.zip was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-19 16:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-19 16:14
Reported
2022-01-19 16:17
Platform
win7-en-20211208
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1600 wrote to memory of 320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 1600 wrote to memory of 320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 1600 wrote to memory of 320 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 320 wrote to memory of 652 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\xcopy.exe |
| PID 320 wrote to memory of 652 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\xcopy.exe |
| PID 320 wrote to memory of 652 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\xcopy.exe |
| PID 320 wrote to memory of 472 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\rundll32.exe |
| PID 320 wrote to memory of 472 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\rundll32.exe |
| PID 320 wrote to memory of 472 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
C:\Windows\system32\xcopy.exe
xcopy /y DumpStack.log c:\programdata\
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload
Network
Files
memory/1600-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp
C:\programdata\DumpStack.log
| MD5 | f948fe3f01333c0326d4dd598e4945c0 |
| SHA1 | 70a619d1b2acbf969b44aded654d6a9257465e2b |
| SHA256 | f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb |
| SHA512 | 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651 |
\ProgramData\DumpStack.log
| MD5 | f948fe3f01333c0326d4dd598e4945c0 |
| SHA1 | 70a619d1b2acbf969b44aded654d6a9257465e2b |
| SHA256 | f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb |
| SHA512 | 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651 |
memory/472-57-0x0000000180000000-0x000000018003D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-19 16:14
Reported
2022-01-19 16:17
Platform
win10v2004-en-20220113
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 1908 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 2236 wrote to memory of 1908 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\cmd.exe |
| PID 1908 wrote to memory of 376 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\xcopy.exe |
| PID 1908 wrote to memory of 376 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\xcopy.exe |
| PID 1908 wrote to memory of 1860 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\rundll32.exe |
| PID 1908 wrote to memory of 1860 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\System32\rundll32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
C:\Windows\system32\xcopy.exe
xcopy /y DumpStack.log c:\programdata\
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload
Network
| Country | Destination | Domain | Proto |
| UA | 194.38.20.11:443 | 194.38.20.11 | tcp |
| BG | 5.181.80.177:443 | tcp | |
| US | 45.41.204.147:443 | tcp | |
| NZ | 103.208.86.105:443 | tcp |
Files
C:\programdata\DumpStack.log
| MD5 | f948fe3f01333c0326d4dd598e4945c0 |
| SHA1 | 70a619d1b2acbf969b44aded654d6a9257465e2b |
| SHA256 | f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb |
| SHA512 | 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651 |
C:\ProgramData\DumpStack.log
| MD5 | f948fe3f01333c0326d4dd598e4945c0 |
| SHA1 | 70a619d1b2acbf969b44aded654d6a9257465e2b |
| SHA256 | f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb |
| SHA512 | 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651 |
memory/1860-472-0x0000000180000000-0x000000018003D000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-01-19 16:14
Reported
2022-01-19 16:17
Platform
win7-en-20211208
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DumpStack.log.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2022-01-19 16:14
Reported
2022-01-19 16:17
Platform
win10v2004-en-20220113
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\DumpStack.log.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | crl4.digicert.com | tcp |
| FR | 2.22.147.98:443 | tcp | |
| FR | 2.22.147.98:443 | tcp | |
| FR | 2.22.147.98:443 | tcp | |
| FR | 2.22.147.98:443 | tcp | |
| FR | 2.22.147.98:443 | tcp | |
| FR | 2.22.147.98:443 | tcp | |
| FR | 2.22.147.98:443 | tcp | |
| NL | 84.53.175.105:80 | tcp | |
| NL | 84.53.175.105:80 | tcp |