Analysis
-
max time kernel
139s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
19-03-2022 19:43
Static task
static1
Behavioral task
behavioral1
Sample
864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe
Resource
win10v2004-20220310-en
General
-
Target
864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe
-
Size
506KB
-
MD5
532524ec1e7a51b51f948fdc79bd0f83
-
SHA1
ce1b6a7f420e277ff4f371b37f7ce9abc78c2929
-
SHA256
864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9
-
SHA512
d594d9866ff30428d958d4a54b10938f41c030f3ac6ecfd5a67155b82ee6913275f8ed6f3ee7c446c5d59a2fd04251b28e61b283cafbde71a1a61e01c09db33c
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3556-134-0x0000000002580000-0x00000000025C8000-memory.dmp BazarLoaderVar3 behavioral2/memory/3556-138-0x00000000025D0000-0x0000000002619000-memory.dmp BazarLoaderVar3 behavioral2/memory/3556-143-0x00000000008E0000-0x0000000000926000-memory.dmp BazarLoaderVar3 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exedescription pid process target process PID 3556 set thread context of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exedescription pid process target process PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe PID 3556 wrote to memory of 4092 3556 864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe"C:\Users\Admin\AppData\Local\Temp\864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" -sf "C:\Users\Admin\AppData\Local\Temp\864cf756fae7a3396d1028e9d8c2077df32ec207a0bf3222fcec6027a4a71fd9.exe"2⤵