Analysis
-
max time kernel
144s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-03-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe
Resource
win10v2004-en-20220113
General
-
Target
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe
-
Size
312KB
-
MD5
2044ffa237db8f249d7d4d29c56e7d21
-
SHA1
6d94758409cdba8b564fb42377397f90b1ebb0c7
-
SHA256
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49
-
SHA512
bfb0bc83dab159c75677b13ec5a4e3fba57cc9f70cd5b712d888b7ce57f132b899d87e0e3c88eaa5c143c82a69b5fcb8b45f4c4b99a23f98e321f32b780563df
Malware Config
Extracted
bazarloader
54.193.186.118
13.57.15.8
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2820-131-0x00000000004D0000-0x00000000004F2000-memory.dmp BazarLoaderVar1 behavioral2/memory/2820-130-0x0000000000500000-0x0000000000524000-memory.dmp BazarLoaderVar1 behavioral2/memory/2820-135-0x0000000180000000-0x0000000180022000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
B72A706.exeB72A706.exepid process 4660 B72A706.exe 4296 B72A706.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
B72A706.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ZN6XPRISQ = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v FSZD6XAC77 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\B72A706.exe\\\" FADQLG3\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\B72A706.exe\" FADQLG3" B72A706.exe -
Drops file in Windows directory 4 IoCs
Processes:
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exeB72A706.exeB72A706.exedescription ioc process File opened for modification C:\Windows\explorer.exe 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe File opened for modification C:\Windows\explorer.exe 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe File opened for modification C:\Windows\explorer.exe B72A706.exe File opened for modification C:\Windows\explorer.exe B72A706.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2832 PING.EXE 3560 PING.EXE 212 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exepid process 2820 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe 2820 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.execmd.exe5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.execmd.exeB72A706.execmd.exedescription pid process target process PID 2820 wrote to memory of 2760 2820 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe cmd.exe PID 2820 wrote to memory of 2760 2820 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe cmd.exe PID 2760 wrote to memory of 2832 2760 cmd.exe PING.EXE PID 2760 wrote to memory of 2832 2760 cmd.exe PING.EXE PID 2760 wrote to memory of 2464 2760 cmd.exe 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe PID 2760 wrote to memory of 2464 2760 cmd.exe 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe PID 2464 wrote to memory of 5084 2464 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe cmd.exe PID 2464 wrote to memory of 5084 2464 5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe cmd.exe PID 5084 wrote to memory of 3560 5084 cmd.exe PING.EXE PID 5084 wrote to memory of 3560 5084 cmd.exe PING.EXE PID 5084 wrote to memory of 4660 5084 cmd.exe B72A706.exe PID 5084 wrote to memory of 4660 5084 cmd.exe B72A706.exe PID 4660 wrote to memory of 3540 4660 B72A706.exe cmd.exe PID 4660 wrote to memory of 3540 4660 B72A706.exe cmd.exe PID 3540 wrote to memory of 212 3540 cmd.exe PING.EXE PID 3540 wrote to memory of 212 3540 cmd.exe PING.EXE PID 3540 wrote to memory of 4296 3540 cmd.exe B72A706.exe PID 3540 wrote to memory of 4296 3540 cmd.exe B72A706.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe"C:\Users\Admin\AppData\Local\Temp\5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe ZHO9A2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exeC:\Users\Admin\AppData\Local\Temp\5e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49.exe ZHO9A3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\B72A706.exe RVO64⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\B72A706.exeC:\Users\Admin\AppData\Local\Temp\B72A706.exe RVO65⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\B72A706.exe FADQLG36⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\B72A706.exeC:\Users\Admin\AppData\Local\Temp\B72A706.exe FADQLG37⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B72A706.exeMD5
2044ffa237db8f249d7d4d29c56e7d21
SHA16d94758409cdba8b564fb42377397f90b1ebb0c7
SHA2565e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49
SHA512bfb0bc83dab159c75677b13ec5a4e3fba57cc9f70cd5b712d888b7ce57f132b899d87e0e3c88eaa5c143c82a69b5fcb8b45f4c4b99a23f98e321f32b780563df
-
C:\Users\Admin\AppData\Local\Temp\B72A706.exeMD5
2044ffa237db8f249d7d4d29c56e7d21
SHA16d94758409cdba8b564fb42377397f90b1ebb0c7
SHA2565e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49
SHA512bfb0bc83dab159c75677b13ec5a4e3fba57cc9f70cd5b712d888b7ce57f132b899d87e0e3c88eaa5c143c82a69b5fcb8b45f4c4b99a23f98e321f32b780563df
-
C:\Users\Admin\AppData\Local\Temp\B72A706.exeMD5
2044ffa237db8f249d7d4d29c56e7d21
SHA16d94758409cdba8b564fb42377397f90b1ebb0c7
SHA2565e169256d9b7ff85c9b2e2489945cb9deb66f44fecad16a7bfb36d3b31c2ab49
SHA512bfb0bc83dab159c75677b13ec5a4e3fba57cc9f70cd5b712d888b7ce57f132b899d87e0e3c88eaa5c143c82a69b5fcb8b45f4c4b99a23f98e321f32b780563df
-
memory/2820-131-0x00000000004D0000-0x00000000004F2000-memory.dmpFilesize
136KB
-
memory/2820-130-0x0000000000500000-0x0000000000524000-memory.dmpFilesize
144KB
-
memory/2820-135-0x0000000180000000-0x0000000180022000-memory.dmpFilesize
136KB