Analysis
-
max time kernel
148s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
20-03-2022 02:52
Static task
static1
Behavioral task
behavioral1
Sample
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
Resource
win10v2004-20220310-en
General
-
Target
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
-
Size
266KB
-
MD5
8a04926cc8b9bb02b39a24133445a1cd
-
SHA1
89b08d47b58000b4124e89160acb44115368c377
-
SHA256
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
-
SHA512
63b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
Malware Config
Extracted
bazarloader
54.193.186.118
13.57.15.8
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1188-134-0x0000000000430000-0x0000000000454000-memory.dmp BazarLoaderVar1 behavioral2/memory/1188-138-0x0000000180000000-0x0000000180022000-memory.dmp BazarLoaderVar1 behavioral2/memory/1188-142-0x0000000000400000-0x0000000000422000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
FOYCB09.exeFOYCB09.exepid process 732 FOYCB09.exe 4140 FOYCB09.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
FOYCB09.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NA7S9N413 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v LXO4ATBK0B /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYCB09.exe\\\" RIV64Z3\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYCB09.exe\" RIV64Z3" FOYCB09.exe -
Drops file in Windows directory 4 IoCs
Processes:
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exeFOYCB09.exeFOYCB09.exe0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exedescription ioc process File opened for modification C:\Windows\explorer.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe File opened for modification C:\Windows\explorer.exe FOYCB09.exe File opened for modification C:\Windows\explorer.exe FOYCB09.exe File opened for modification C:\Windows\explorer.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2912 PING.EXE 1204 PING.EXE 1412 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exepid process 1188 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe 1188 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.execmd.exe0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.execmd.exeFOYCB09.execmd.exedescription pid process target process PID 1188 wrote to memory of 2388 1188 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1188 wrote to memory of 2388 1188 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 2388 wrote to memory of 2912 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 2912 2388 cmd.exe PING.EXE PID 2388 wrote to memory of 1008 2388 cmd.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe PID 2388 wrote to memory of 1008 2388 cmd.exe 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe PID 1008 wrote to memory of 4332 1008 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 1008 wrote to memory of 4332 1008 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe cmd.exe PID 4332 wrote to memory of 1204 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 1204 4332 cmd.exe PING.EXE PID 4332 wrote to memory of 732 4332 cmd.exe FOYCB09.exe PID 4332 wrote to memory of 732 4332 cmd.exe FOYCB09.exe PID 732 wrote to memory of 1752 732 FOYCB09.exe cmd.exe PID 732 wrote to memory of 1752 732 FOYCB09.exe cmd.exe PID 1752 wrote to memory of 1412 1752 cmd.exe PING.EXE PID 1752 wrote to memory of 1412 1752 cmd.exe PING.EXE PID 1752 wrote to memory of 4140 1752 cmd.exe FOYCB09.exe PID 1752 wrote to memory of 4140 1752 cmd.exe FOYCB09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe"C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe LD6OR2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exeC:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe LD6OR3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe FNJ04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exeC:\Users\Admin\AppData\Local\Temp\FOYCB09.exe FNJ05⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe RIV64Z36⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exeC:\Users\Admin\AppData\Local\Temp\FOYCB09.exe RIV64Z37⤵
- Executes dropped EXE
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exeMD5
8a04926cc8b9bb02b39a24133445a1cd
SHA189b08d47b58000b4124e89160acb44115368c377
SHA2560ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA51263b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac
-
memory/1188-134-0x0000000000430000-0x0000000000454000-memory.dmpFilesize
144KB
-
memory/1188-138-0x0000000180000000-0x0000000180022000-memory.dmpFilesize
136KB
-
memory/1188-142-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB