Analysis
-
max time kernel
120s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
21-03-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
Attachments.lnk
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
Attachments.lnk
Resource
win10v2004-20220310-en
Behavioral task
behavioral3
Sample
DumpStack.dll
Resource
win7-20220310-en
Behavioral task
behavioral4
Sample
DumpStack.dll
Resource
win10v2004-en-20220113
General
-
Target
Attachments.lnk
-
Size
1KB
-
MD5
e87e52db1aa360baf8444c5524dd2b26
-
SHA1
b89d0c4568c74f03ec3e1917c22a83c37409b10a
-
SHA256
6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1
-
SHA512
e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3500-136-0x0000000180000000-0x000000018003D000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 65 3500 rundll32.exe 74 3500 rundll32.exe 75 3500 rundll32.exe 76 3500 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3500 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2888 wrote to memory of 408 2888 cmd.exe cmd.exe PID 2888 wrote to memory of 408 2888 cmd.exe cmd.exe PID 408 wrote to memory of 3480 408 cmd.exe xcopy.exe PID 408 wrote to memory of 3480 408 cmd.exe xcopy.exe PID 408 wrote to memory of 3500 408 cmd.exe rundll32.exe PID 408 wrote to memory of 3500 408 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /y DumpStack.log c:\programdata\3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DumpStack.logMD5
85326ee9659fc5bf82c6d71b74f02684
SHA1f2bd6c53e806861256285bb1c0d51312a10267a8
SHA256ca3c7c4b570751c0dbf9063a23035967dfca4a2c7a8ce6bb2997439257ac6f10
SHA51243b621dc4169a370241423c3775a1ac9ea83fb4df73111cb396b149f79a9d51122c5f3f8f1158482feefe62d45af741d04540e4578f84e613f0a5c668d41cf0b
-
C:\programdata\DumpStack.logMD5
85326ee9659fc5bf82c6d71b74f02684
SHA1f2bd6c53e806861256285bb1c0d51312a10267a8
SHA256ca3c7c4b570751c0dbf9063a23035967dfca4a2c7a8ce6bb2997439257ac6f10
SHA51243b621dc4169a370241423c3775a1ac9ea83fb4df73111cb396b149f79a9d51122c5f3f8f1158482feefe62d45af741d04540e4578f84e613f0a5c668d41cf0b
-
memory/3500-136-0x0000000180000000-0x000000018003D000-memory.dmpFilesize
244KB