ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b

General

Target

ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b.dll
Size

137KB
MD5

80a0d6819d431dbde0661de16f1487af
SHA1

c57b6cdc3852bd11adf5f1eb3f5b8ec077037093
SHA256

ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b
SHA512

d1802939f331e215be388d8b9187385ed50aea27e73217fba41f413cf101e4ae6ab9d8977e6fde9f8d9221c01a9453a62caad1e3ea9b3e77fd48f4514d95d6ff

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 64 IoCs

Processes:

rundll32.exe

flow	pid	process
2	1776	rundll32.exe
3	1776	rundll32.exe
4	1776	rundll32.exe
5	1776	rundll32.exe
6	1776	rundll32.exe
7	1776	rundll32.exe
8	1776	rundll32.exe
9	1776	rundll32.exe
10	1776	rundll32.exe
11	1776	rundll32.exe
12	1776	rundll32.exe
13	1776	rundll32.exe
14	1776	rundll32.exe
15	1776	rundll32.exe
16	1776	rundll32.exe
17	1776	rundll32.exe
18	1776	rundll32.exe
19	1776	rundll32.exe
20	1776	rundll32.exe
21	1776	rundll32.exe
22	1776	rundll32.exe
23	1776	rundll32.exe
24	1776	rundll32.exe
25	1776	rundll32.exe
26	1776	rundll32.exe
27	1776	rundll32.exe
28	1776	rundll32.exe
29	1776	rundll32.exe
30	1776	rundll32.exe
31	1776	rundll32.exe
32	1776	rundll32.exe
33	1776	rundll32.exe
34	1776	rundll32.exe
35	1776	rundll32.exe
36	1776	rundll32.exe
37	1776	rundll32.exe
38	1776	rundll32.exe
39	1776	rundll32.exe
40	1776	rundll32.exe
41	1776	rundll32.exe
42	1776	rundll32.exe
43	1776	rundll32.exe
44	1776	rundll32.exe
45	1776	rundll32.exe
46	1776	rundll32.exe
47	1776	rundll32.exe
48	1776	rundll32.exe
49	1776	rundll32.exe
50	1776	rundll32.exe
51	1776	rundll32.exe
52	1776	rundll32.exe
53	1776	rundll32.exe
54	1776	rundll32.exe
55	1776	rundll32.exe
56	1776	rundll32.exe
57	1776	rundll32.exe
58	1776	rundll32.exe
59	1776	rundll32.exe
60	1776	rundll32.exe
61	1776	rundll32.exe
62	1776	rundll32.exe
63	1776	rundll32.exe
64	1776	rundll32.exe
65	1776	rundll32.exe

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
343	ewkuonud.bazar
41	soqaibib.bazar
58	soqaibib.bazar
170	eloxsoel.bazar
202	ywuxelon.bazar
254	sogytoso.bazar
273	ekletoso.bazar
291	ekletoso.bazar
407	edcoelud.bazar
74	emuxonon.bazar
90	emuxonon.bazar
102	ibdaudso.bazar
180	eloxsoel.bazar
311	idquonso.bazar
321	idquonso.bazar
347	ewkuonud.bazar
37	soqaibib.bazar
47	soqaibib.bazar
252	sogytoso.bazar
331	idquonso.bazar
340	ewkuonud.bazar
381	cunatoel.bazar
240	ewkuonud.bazar
260	sogytoso.bazar
261	sogytoso.bazar
262	sogytoso.bazar
279	ekletoso.bazar
318	idquonso.bazar
64	emuxonon.bazar
81	emuxonon.bazar
87	emuxonon.bazar
283	ekletoso.bazar
129	idleonib.bazar
139	idleonib.bazar
224	ewkuonud.bazar
242	sogytoso.bazar
356	ewkuonud.bazar
312	idquonso.bazar
320	idquonso.bazar
350	ewkuonud.bazar
384	cunatoel.bazar
45	soqaibib.bazar
192	ywuxelon.bazar
229	ewkuonud.bazar
269	sogytoso.bazar
363	cunatoel.bazar
367	cunatoel.bazar
289	ekletoso.bazar
48	soqaibib.bazar
50	soqaibib.bazar
152	eloxsoel.bazar
158	eloxsoel.bazar
182	ywuxelon.bazar
188	ywuxelon.bazar
198	ywuxelon.bazar
397	edcoelud.bazar
51	soqaibib.bazar
67	emuxonon.bazar
69	emuxonon.bazar
142	idleonib.bazar
166	eloxsoel.bazar
235	ewkuonud.bazar
409	edcoelud.bazar
80	emuxonon.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	169.239.202.202
Destination IP	208.67.222.222
Destination IP	51.255.211.146
Destination IP	167.99.153.82
Destination IP	142.4.204.111
Destination IP	69.164.196.21
Destination IP	163.172.185.51
Destination IP	5.45.97.127
Destination IP	192.99.85.244
Destination IP	185.121.177.177
Destination IP	172.98.193.42
Destination IP	45.63.124.65
Destination IP	167.99.153.82
Destination IP	45.63.124.65
Destination IP	176.126.70.119
Destination IP	147.135.185.78
Destination IP	208.67.220.220
Destination IP	172.104.136.243
Destination IP	208.67.220.220
Destination IP	185.164.136.225
Destination IP	172.104.136.243
Destination IP	176.126.70.119
Destination IP	96.47.228.108
Destination IP	192.99.85.244
Destination IP	77.73.68.161
Destination IP	185.164.136.225
Destination IP	45.32.160.206
Destination IP	96.47.228.108
Destination IP	208.67.222.222
Destination IP	96.47.228.108
Destination IP	208.67.222.222
Destination IP	172.98.193.42
Destination IP	77.73.68.161
Destination IP	172.104.136.243
Destination IP	185.121.177.177
Destination IP	35.196.105.24
Destination IP	185.121.177.177
Destination IP	63.231.92.27
Destination IP	94.177.171.127
Destination IP	45.63.124.65
Destination IP	89.35.39.64
Destination IP	162.248.241.94
Destination IP	147.135.185.78
Destination IP	169.239.202.202
Destination IP	51.255.211.146
Destination IP	147.135.185.78
Destination IP	192.99.85.244
Destination IP	185.164.136.225
Destination IP	172.98.193.42
Destination IP	142.4.205.47
Destination IP	45.63.124.65
Destination IP	172.104.136.243
Destination IP	5.135.183.146
Destination IP	163.172.185.51
Destination IP	147.135.185.78
Destination IP	176.126.70.119
Destination IP	176.126.70.119
Destination IP	172.104.136.243
Destination IP	208.67.222.222
Destination IP	45.63.124.65
Destination IP	139.59.23.241
Destination IP	169.239.202.202
Destination IP	5.135.183.146
Destination IP	147.135.185.78

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1776 rundll32.exe

pid	process
1776	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ccfa86896ffc44125e762009e0301fa662ce58cc87d71e457873d741f43d8d5b.dll,#1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1776

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads