bazarloader | c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Analysis

Target

Attachments.lnk
Size

1KB
MD5

e87e52db1aa360baf8444c5524dd2b26
SHA1

b89d0c4568c74f03ec3e1917c22a83c37409b10a
SHA256

6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1
SHA512

e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-93-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

4 2020 rundll32.exe
5 2020 rundll32.exe
6 2020 rundll32.exe
7 2020 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2020 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2020	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 1992	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 1992	1824	cmd.exe	cmd.exe
PID 1824 wrote to memory of 1992	1824	cmd.exe	cmd.exe
PID 1992 wrote to memory of 2000	1992	cmd.exe	xcopy.exe
PID 1992 wrote to memory of 2000	1992	cmd.exe	xcopy.exe
PID 1992 wrote to memory of 2000	1992	cmd.exe	xcopy.exe
PID 1992 wrote to memory of 2020	1992	cmd.exe	rundll32.exe
PID 1992 wrote to memory of 2020	1992	cmd.exe	rundll32.exe
PID 1992 wrote to memory of 2020	1992	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\xcopy.exe
xcopy /y DumpStack.log c:\programdata\
3⤵
PID:2000

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\programdata\DumpStack.log

MD5
f948fe3f01333c0326d4dd598e4945c0

SHA1
70a619d1b2acbf969b44aded654d6a9257465e2b

SHA256
f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb

SHA512
9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

Download Submit
\ProgramData\DumpStack.log

MD5
f948fe3f01333c0326d4dd598e4945c0

SHA1
70a619d1b2acbf969b44aded654d6a9257465e2b

SHA256
f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb

SHA512
9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

Download Submit
memory/1824-54-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/2020-93-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download