bazarloader | 0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706

General

Target

0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
Size

266KB
MD5

8a04926cc8b9bb02b39a24133445a1cd
SHA1

89b08d47b58000b4124e89160acb44115368c377
SHA256

0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706
SHA512

63b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

54.193.186.118

13.57.15.8

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1188-134-0x0000000000430000-0x0000000000454000-memory.dmp	BazarLoaderVar1
behavioral2/memory/1188-138-0x0000000180000000-0x0000000180022000-memory.dmp	BazarLoaderVar1
behavioral2/memory/1188-142-0x0000000000400000-0x0000000000422000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

FOYCB09.exeFOYCB09.exe

pid process

732 FOYCB09.exe
4140 FOYCB09.exe

pid	process
732	FOYCB09.exe
4140	FOYCB09.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

FOYCB09.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NA7S9N413 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v LXO4ATBK0B /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYCB09.exe\\\" RIV64Z3\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FOYCB09.exe\" RIV64Z3"	FOYCB09.exe

Drops file in Windows directory 4 IoCs

Processes:

0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exeFOYCB09.exeFOYCB09.exe0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe

description	ioc	process
File opened for modification	C:\Windows\explorer.exe	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
File opened for modification	C:\Windows\explorer.exe	FOYCB09.exe
File opened for modification	C:\Windows\explorer.exe	FOYCB09.exe
File opened for modification	C:\Windows\explorer.exe	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2912 PING.EXE
1204 PING.EXE
1412 PING.EXE

pid	process
2912	PING.EXE
1204	PING.EXE
1412	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe

pid	process
1188	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
1188	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.execmd.exe0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.execmd.exeFOYCB09.execmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 2388	1188	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe	cmd.exe
PID 1188 wrote to memory of 2388	1188	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe	cmd.exe
PID 2388 wrote to memory of 2912	2388	cmd.exe	PING.EXE
PID 2388 wrote to memory of 2912	2388	cmd.exe	PING.EXE
PID 2388 wrote to memory of 1008	2388	cmd.exe	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
PID 2388 wrote to memory of 1008	2388	cmd.exe	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
PID 1008 wrote to memory of 4332	1008	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe	cmd.exe
PID 1008 wrote to memory of 4332	1008	0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe	cmd.exe
PID 4332 wrote to memory of 1204	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 1204	4332	cmd.exe	PING.EXE
PID 4332 wrote to memory of 732	4332	cmd.exe	FOYCB09.exe
PID 4332 wrote to memory of 732	4332	cmd.exe	FOYCB09.exe
PID 732 wrote to memory of 1752	732	FOYCB09.exe	cmd.exe
PID 732 wrote to memory of 1752	732	FOYCB09.exe	cmd.exe
PID 1752 wrote to memory of 1412	1752	cmd.exe	PING.EXE
PID 1752 wrote to memory of 1412	1752	cmd.exe	PING.EXE
PID 1752 wrote to memory of 4140	1752	cmd.exe	FOYCB09.exe
PID 1752 wrote to memory of 4140	1752	cmd.exe	FOYCB09.exe

C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
"C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe LD6OR
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:2912

C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe
C:\Users\Admin\AppData\Local\Temp\0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706.exe LD6OR
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe FNJ0
4⤵
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:1204

C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe FNJ0
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe RIV64Z3
6⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:1412

C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe RIV64Z3
7⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4140

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe
MD5
8a04926cc8b9bb02b39a24133445a1cd

SHA1
89b08d47b58000b4124e89160acb44115368c377

SHA256
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706

SHA512
63b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe
MD5
8a04926cc8b9bb02b39a24133445a1cd

SHA1
89b08d47b58000b4124e89160acb44115368c377

SHA256
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706

SHA512
63b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FOYCB09.exe
MD5
8a04926cc8b9bb02b39a24133445a1cd

SHA1
89b08d47b58000b4124e89160acb44115368c377

SHA256
0ff506dc51126a4c89c4a8e435b09f2a6e0811df95b922898ccbe8c9ac7f2706

SHA512
63b3c61719b7fadea5f3eccc1dca87825b8d1d74a14f01fc39d50c6690842f3c1e24f334e9110b720c6e32db21f46daae5514d77d8221961bde5146a302acfac

Download Submit
memory/1188-134-0x0000000000430000-0x0000000000454000-memory.dmp

Filesize
144KB

Download
memory/1188-138-0x0000000180000000-0x0000000180022000-memory.dmp

Filesize
136KB

Download
memory/1188-142-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads