Overview

overview

10

Static

static

10

emissorNFe...o.jnlp

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    160s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23-02-2022 11:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    emissorNFe-4_0_1-homologacao.jnlp

  • Size

    5KB

  • MD5

    2ebf995cb469c94a513859241e1da199

  • SHA1

    9481f062253280e47bbcb7cdabba1d134a97d3f2

  • SHA256

    ae2667448077b7b49183d1340ca301fba6b7b606829a34ab4b1401a01db9439b

  • SHA512

    80be73ca92c54dfe090e111b9be3f86480a0265463b8ccb982b4d3805ba26d4b3fe69f2488487f94b5c470a15338dfb8de0aeecef3b282e4b6808938798e4791

Score
10/10
bazarbackdoorbackdoor

Malware Config

Signatures

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 12 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" "C:\Users\Admin\AppData\Local\Temp\emissorNFe-4_0_1-homologacao.jnlp"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_6\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.11.66.2" "update"
      2⤵
        PID:2156
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_6\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.timestamp.11.66.2" "1645620410"
        2⤵
          PID:3488
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -cp "C:\PROGRA~1\Java\JRE18~1.0_6\lib\deploy.jar" com.sun.deploy.panel.ControlPanel -userConfig "deployment.expiration.decision.suppression.11.66.2" "false"
          2⤵
            PID:2804
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
          1⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:3536
        • C:\Windows\system32\browser_broker.exe
          C:\Windows\system32\browser_broker.exe -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          • NTFS ADS
          • Suspicious use of WriteProcessMemory
          PID:508
          • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\jre-8u321-windows-x64.exe
            "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\jre-8u321-windows-x64.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4736
            • C:\Users\Admin\AppData\Local\Temp\jds314765.tmp\jre-8u321-windows-x64.exe
              "C:\Users\Admin\AppData\Local\Temp\jds314765.tmp\jre-8u321-windows-x64.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4828
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 4828 -s 2716
                4⤵
                • Program crash
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3800
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1016
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:4136
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:4288
        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
          1⤵
          • Modifies registry class
          PID:4380
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • Drops file in Windows directory
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4104
          • C:\Windows\System32\MsiExec.exe
            C:\Windows\System32\MsiExec.exe -Embedding 62B3EBBB0699F1A23ADE05D820055C29
            2⤵
            • Loads dropped DLL
            PID:3340

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        Peripheral Device Discovery

        1
        T1120

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Oracle\Java\jre1.8.0_321_x64\jre1.8.0_32164.msi
          MD5

          a8c681eea00bffb3dbbbffd28f07779f

          SHA1

          ae26387f00eff1d1fcaf29162e818bb7b0e241be

          SHA256

          ea03882940b2c48c219d318b37d2b01531d27ee2c86ad26a26dd4b71a5a515af

          SHA512

          3b2a840d357deba2d86ade10ed41ff8861e621ee3a323d5c3e72064e3930d5f6f61f5ad27a7753fee0c5e751f90994f5e435a24387402fa87afd4926a4e699a4

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
          MD5

          29ed5246fb07cc52d93ce719eeade87c

          SHA1

          5c665d80050ba2261c530684a0ae7505c70af7f3

          SHA256

          e04d3826c0024ea838e690c7d509145f334a913618a49d30122fad8de8a2ee7c

          SHA512

          411168a74335da6f83204d34853d2187d11a5acaf8d9bb6b3fe94de4da1487285d4fa7e921089ec34f62677276f65953fd26e24d7af7602d9606ff30f376c1ea

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
          MD5

          c2a3ab794396e5bbb951f17582d3d6f6

          SHA1

          b28d5d36019c5e0dbe5b1d86e49631415f96b928

          SHA256

          af4afb86b11bc9665e0f5f6c6b7c38d34fad473037a969c074dee0aabd6d2a13

          SHA512

          061c2be9b2525c54655fe451ee9099d256a4badd9bf9d72cfb9f1f8820b6b185cd75f4b79cb21ef8a0d8350780c152b7831ea779214b080f642912e2b0fbea11

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\jre-8u321-windows-x64.exe
          MD5

          5c4de2813b42c80a2d77983624512e7a

          SHA1

          0e645b1e56de38a5859d187d71c792ea7cb5735a

          SHA256

          273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

          SHA512

          263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\jre-8u321-windows-x64.exe
          MD5

          5c4de2813b42c80a2d77983624512e7a

          SHA1

          0e645b1e56de38a5859d187d71c792ea7cb5735a

          SHA256

          273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

          SHA512

          263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\jre-8u321-windows-x64.exe.ws1sn3x.partial
          MD5

          5c4de2813b42c80a2d77983624512e7a

          SHA1

          0e645b1e56de38a5859d187d71c792ea7cb5735a

          SHA256

          273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

          SHA512

          263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\OQLGLTT1\jre-8u321-windows-x64[1].exe
          MD5

          8fd9d7b907f52b5d8775ff5867076dc5

          SHA1

          f2d4ea18311f90c35539c92b096fda2525e9dca1

          SHA256

          8657a266a77f3216f87edd6b93ff5bbb1dc3823549128a897bd6ead1a281c18e

          SHA512

          c756f2e125996140888807141545d9772c053e3f7aff01e01a705c4d04119ae1c57a2885f33454712af56bb890cafd3c0b33b523c54d900af69af6a6956b5d93

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
          MD5

          7934a34dbd42c01cce870075fccccf89

          SHA1

          3cef9f0a927c225985ae27c08c65c081ea58065b

          SHA256

          287a403432124eb98d591dd53f76f21337414517d363d5558647d3cf0433eb7d

          SHA512

          817b016b7bb1b1c0d7b27132eb0f1c9b148adb168d0f8ad85e6820b05ea82bf4eba8055c056cb3a6c6da771db9065e310f75a9e8fa4852b22effa89957afac9a

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
          MD5

          d9337a6d010bff1cafe4c20bea1e80d1

          SHA1

          48c671c9cf7a9ae10a8c58dc59362d0c04db0133

          SHA256

          dafcc530bfde6a98d876572d976a06204e650523aa6120283fe9c508482c1cb4

          SHA512

          31b8d1498826ba376afc8b5ec4aa80fa49816db7c88947bd2f0b2dc726290fca5eff0ed5f771225def978a310cd60d35970183be1958394d22a88f0c9d1822f8

          Download Submit
        • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\1659841449.pri
          MD5

          6dfa43a584ed243390dc943abac397c0

          SHA1

          665637e060c9da24288944b90b377a309da6d533

          SHA256

          4f31fe4baa7a557ed5fc2ccf57b2861946ecea6222200aca124796e251a524ad

          SHA512

          9561a2867cf1e73578d0206d4c73e576e2b8c7497ec1db8a69df6a35ca78e84bf01060089e45ec32e5afde6d3b1de26afcd0e411a25b615042ce5bdd575cb6b0

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\jds314765.tmp\jre-8u321-windows-x64.exe
          MD5

          80afab5be48bacf44155212c817f4e31

          SHA1

          5a8b12509bdecdb2024a8d00395ca5f24dec63dc

          SHA256

          fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

          SHA512

          a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\jds314765.tmp\jre-8u321-windows-x64.exe
          MD5

          80afab5be48bacf44155212c817f4e31

          SHA1

          5a8b12509bdecdb2024a8d00395ca5f24dec63dc

          SHA256

          fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

          SHA512

          a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\jusched.log
          MD5

          2fc9cb208952c1d6d9d395be01443f06

          SHA1

          c1d7505f819d5ab0dfd81a61459e7a6cf7263cc8

          SHA256

          5a2d7735c2d03d216a5dc32994cce67fa3e4531617931cdd74f60f5004ac621b

          SHA512

          6bff6f512d9ae8e8a5eb06a37ab34caeec90453de898d749a94c945b3ee13324ba74c80762c18ba61a7812f2a640e2a2b0f19cbaacbededc9cae7347f59eb70f

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\jusched.log
          MD5

          3a22f57142be1499bf9a03e55780f173

          SHA1

          acf0cfe61620f165cc90a18b7183f52776cb6065

          SHA256

          e77058434b69aed0d60069501181ac1398d301f7a562416de745b86b9cf90c75

          SHA512

          6ec5d623d1737aca5034989b64a0535ce99f41f9bfac4428132b88114b71dc0ad5da52a66da9b1ba9f9f93e966103f260d9fcd5b8222d79b8f55f055ef463f6c

          Download Submit
        • C:\Windows\Installer\MSI5E73.tmp
          MD5

          da4598360ae218325c6b96b91a90dd19

          SHA1

          d773cc0953aaad2069467ad1a51e0fd7aa75e5c4

          SHA256

          4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4

          SHA512

          129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

          Download Submit
        • C:\Windows\Installer\MSI61EF.tmp
          MD5

          da4598360ae218325c6b96b91a90dd19

          SHA1

          d773cc0953aaad2069467ad1a51e0fd7aa75e5c4

          SHA256

          4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4

          SHA512

          129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

          Download Submit
        • \Windows\Installer\MSI5E73.tmp
          MD5

          da4598360ae218325c6b96b91a90dd19

          SHA1

          d773cc0953aaad2069467ad1a51e0fd7aa75e5c4

          SHA256

          4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4

          SHA512

          129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

          Download Submit
        • \Windows\Installer\MSI61EF.tmp
          MD5

          da4598360ae218325c6b96b91a90dd19

          SHA1

          d773cc0953aaad2069467ad1a51e0fd7aa75e5c4

          SHA256

          4a8fb4e1fc0202da504de4259742943433040bf67d1f35397f428042b5dd4ef4

          SHA512

          129ec79a7ad644d9dc0682f83740329bdf31d48a6a51160212fdbf236c1f9c98259b36e94755bc146756b472fbda8a727af66860c89a9bc53c61a03e30942ea4

          Download Submit
        • memory/2156-116-0x00000000024E0000-0x0000000002750000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/2156-121-0x0000000002330000-0x0000000002331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2156-117-0x0000000002330000-0x0000000002331000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2804-131-0x00000000013D0000-0x00000000013D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2804-132-0x00000000031C0000-0x0000000003430000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/3488-127-0x0000000002C50000-0x0000000002EC0000-memory.dmp
          Filesize

          2.4MB

          Download
        • memory/3488-126-0x0000000001170000-0x0000000001171000-memory.dmp
          Filesize

          4KB

          Download