Analysis
-
max time kernel
4294214s -
max time network
174s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
20-03-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
Resource
win10v2004-20220310-en
General
-
Target
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
-
Size
266KB
-
MD5
8a04926cc8b9bb02b39a24133445a1cd
-
SHA1
89b08d47b58000b4124e89160acb44115368c377
-
SHA256
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
-
SHA512
63b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
Malware Config
Extracted
bazarloader
54.193.186.118
13.57.15.8
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1088-54-0x0000000000350000-0x0000000000374000-memory.dmp BazarLoaderVar1 behavioral1/memory/1088-58-0x0000000180000000-0x0000000180022000-memory.dmp BazarLoaderVar1 behavioral1/memory/1088-62-0x0000000000210000-0x0000000000232000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
C0N6A19.exeC0N6A19.exepid process 840 C0N6A19.exe 2008 C0N6A19.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 1492 cmd.exe 1112 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
C0N6A19.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CJTKN1HW = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v G0HLPMPDNJK /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\C0N6A19.exe\\\" I5ILPL\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\C0N6A19.exe\" I5ILPL" C0N6A19.exe -
Drops file in Windows directory 4 IoCs
Processes:
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exeC0N6A19.exeC0N6A19.exedescription ioc process File opened for modification C:\Windows\explorer.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe File opened for modification C:\Windows\explorer.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe File opened for modification C:\Windows\explorer.exe C0N6A19.exe File opened for modification C:\Windows\explorer.exe C0N6A19.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1184 PING.EXE 284 PING.EXE 452 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exepid process 1088 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.execmd.exe0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.execmd.exeC0N6A19.execmd.exedescription pid process target process PID 1088 wrote to memory of 540 1088 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1088 wrote to memory of 540 1088 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1088 wrote to memory of 540 1088 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 540 wrote to memory of 452 540 cmd.exe PING.EXE PID 540 wrote to memory of 452 540 cmd.exe PING.EXE PID 540 wrote to memory of 452 540 cmd.exe PING.EXE PID 540 wrote to memory of 1824 540 cmd.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe PID 540 wrote to memory of 1824 540 cmd.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe PID 540 wrote to memory of 1824 540 cmd.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe PID 1824 wrote to memory of 1492 1824 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1824 wrote to memory of 1492 1824 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1824 wrote to memory of 1492 1824 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1492 wrote to memory of 1184 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 1184 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 1184 1492 cmd.exe PING.EXE PID 1492 wrote to memory of 840 1492 cmd.exe C0N6A19.exe PID 1492 wrote to memory of 840 1492 cmd.exe C0N6A19.exe PID 1492 wrote to memory of 840 1492 cmd.exe C0N6A19.exe PID 840 wrote to memory of 1112 840 C0N6A19.exe cmd.exe PID 840 wrote to memory of 1112 840 C0N6A19.exe cmd.exe PID 840 wrote to memory of 1112 840 C0N6A19.exe cmd.exe PID 1112 wrote to memory of 284 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 284 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 284 1112 cmd.exe PING.EXE PID 1112 wrote to memory of 2008 1112 cmd.exe C0N6A19.exe PID 1112 wrote to memory of 2008 1112 cmd.exe C0N6A19.exe PID 1112 wrote to memory of 2008 1112 cmd.exe C0N6A19.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe"C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe TRT92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exeC:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe TRT93⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\C0N6A19.exe YIIY44⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\C0N6A19.exeC:\Users\Admin\AppData\Local\Temp\C0N6A19.exe YIIY45⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\C0N6A19.exe I5ILPL6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\C0N6A19.exeC:\Users\Admin\AppData\Local\Temp\C0N6A19.exe I5ILPL7⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C0N6A19.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
C:\Users\Admin\AppData\Local\Temp\C0N6A19.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
\Users\Admin\AppData\Local\Temp\C0N6A19.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
\Users\Admin\AppData\Local\Temp\C0N6A19.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
memory/1088-54-0x0000000000350000-0x0000000000374000-memory.dmpFilesize
144KB
-
memory/1088-58-0x0000000180000000-0x0000000180022000-memory.dmpFilesize
136KB
-
memory/1088-62-0x0000000000210000-0x0000000000232000-memory.dmpFilesize
136KB