Analysis
-
max time kernel
4294212s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
29-03-2022 00:10
Static task
static1
Behavioral task
behavioral1
Sample
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
Resource
win10v2004-20220310-en
General
-
Target
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
-
Size
603KB
-
MD5
dac91ccf0929071e9db5b75be0f6a3a6
-
SHA1
466b804c1c95145f7a5d06cee956610c16951372
-
SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
-
SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1504-55-0x0000000001BC0000-0x0000000001BFD000-memory.dmp BazarLoaderVar1 behavioral1/memory/1504-59-0x0000000001E60000-0x0000000001E9A000-memory.dmp BazarLoaderVar1 behavioral1/memory/1504-63-0x0000000001B80000-0x0000000001BBB000-memory.dmp BazarLoaderVar1 behavioral1/memory/1120-72-0x0000000002070000-0x00000000020AA000-memory.dmp BazarLoaderVar1 behavioral1/memory/1576-87-0x0000000001D50000-0x0000000001D8A000-memory.dmp BazarLoaderVar1 behavioral1/memory/1908-101-0x0000000001F20000-0x0000000001F5A000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
Y4ND5C6.exeY4ND5C6.exepid process 1576 Y4ND5C6.exe 1908 Y4ND5C6.exe -
Tries to connect to .bazar domain 13 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 40 dcegjldlggjp.bazar 41 dcegjldlggjp.bazar 44 dcegjldlggjp.bazar 45 dcegjldlggjp.bazar 47 dcegjldlggjp.bazar 49 dcegjldlggjp.bazar 51 dcegjldlggjp.bazar 55 bdegjkbmggjo.bazar 42 dcegjldlggjp.bazar 43 dcegjldlggjp.bazar 46 dcegjldlggjp.bazar 48 dcegjldlggjp.bazar 50 dcegjldlggjp.bazar -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 1076 cmd.exe 1580 cmd.exe -
Unexpected DNS network traffic destination 43 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 142.4.205.47 Destination IP 172.104.136.243 Destination IP 208.67.222.222 Destination IP 5.135.183.146 Destination IP 89.35.39.64 Destination IP 162.248.241.94 Destination IP 163.172.185.51 Destination IP 185.121.177.177 Destination IP 142.4.204.111 Destination IP 208.67.220.220 Destination IP 142.4.204.111 Destination IP 176.126.70.119 Destination IP 192.99.85.244 Destination IP 185.121.177.177 Destination IP 169.239.202.202 Destination IP 5.45.97.127 Destination IP 208.67.220.220 Destination IP 139.59.23.241 Destination IP 69.164.196.21 Destination IP 185.121.177.177 Destination IP 163.172.185.51 Destination IP 63.231.92.27 Destination IP 142.4.205.47 Destination IP 208.67.222.222 Destination IP 51.255.211.146 Destination IP 35.196.105.24 Destination IP 5.45.97.127 Destination IP 192.99.85.244 Destination IP 5.135.183.146 Destination IP 147.135.185.78 Destination IP 217.12.210.54 Destination IP 167.99.153.82 Destination IP 82.141.39.32 Destination IP 169.239.202.202 Destination IP 77.73.68.161 Destination IP 96.47.228.108 Destination IP 82.141.39.32 Destination IP 172.104.136.243 Destination IP 45.63.124.65 Destination IP 185.164.136.225 Destination IP 45.32.160.206 Destination IP 94.177.171.127 Destination IP 172.98.193.42 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Y4ND5C6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Q55TVRST = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v KWJN12LPGEZ /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Y4ND5C6.exe\\\" UP2ANP\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Y4ND5C6.exe\" UP2ANP" Y4ND5C6.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1548 PING.EXE 700 PING.EXE 1832 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exepid process 1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exea0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exeY4ND5C6.exeY4ND5C6.exepid process 1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe 1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe 1120 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe 1120 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe 1576 Y4ND5C6.exe 1576 Y4ND5C6.exe 1908 Y4ND5C6.exe 1908 Y4ND5C6.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.execmd.exea0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.execmd.exeY4ND5C6.execmd.exedescription pid process target process PID 1504 wrote to memory of 1244 1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe cmd.exe PID 1504 wrote to memory of 1244 1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe cmd.exe PID 1504 wrote to memory of 1244 1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe cmd.exe PID 1244 wrote to memory of 1548 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1548 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1548 1244 cmd.exe PING.EXE PID 1244 wrote to memory of 1120 1244 cmd.exe a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe PID 1244 wrote to memory of 1120 1244 cmd.exe a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe PID 1244 wrote to memory of 1120 1244 cmd.exe a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe PID 1120 wrote to memory of 1076 1120 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe cmd.exe PID 1120 wrote to memory of 1076 1120 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe cmd.exe PID 1120 wrote to memory of 1076 1120 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe cmd.exe PID 1076 wrote to memory of 700 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 700 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 700 1076 cmd.exe PING.EXE PID 1076 wrote to memory of 1576 1076 cmd.exe Y4ND5C6.exe PID 1076 wrote to memory of 1576 1076 cmd.exe Y4ND5C6.exe PID 1076 wrote to memory of 1576 1076 cmd.exe Y4ND5C6.exe PID 1576 wrote to memory of 1580 1576 Y4ND5C6.exe cmd.exe PID 1576 wrote to memory of 1580 1576 Y4ND5C6.exe cmd.exe PID 1576 wrote to memory of 1580 1576 Y4ND5C6.exe cmd.exe PID 1580 wrote to memory of 1832 1580 cmd.exe PING.EXE PID 1580 wrote to memory of 1832 1580 cmd.exe PING.EXE PID 1580 wrote to memory of 1832 1580 cmd.exe PING.EXE PID 1580 wrote to memory of 1908 1580 cmd.exe Y4ND5C6.exe PID 1580 wrote to memory of 1908 1580 cmd.exe Y4ND5C6.exe PID 1580 wrote to memory of 1908 1580 cmd.exe Y4ND5C6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe"C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe WZH92⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exeC:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe WZH93⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe Y6J624⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeC:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe Y6J625⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe UP2ANP6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeC:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe UP2ANP7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeFilesize
603KB
MD5dac91ccf0929071e9db5b75be0f6a3a6
SHA1466b804c1c95145f7a5d06cee956610c16951372
SHA256a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69
-
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeFilesize
603KB
MD5dac91ccf0929071e9db5b75be0f6a3a6
SHA1466b804c1c95145f7a5d06cee956610c16951372
SHA256a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69
-
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeFilesize
603KB
MD5dac91ccf0929071e9db5b75be0f6a3a6
SHA1466b804c1c95145f7a5d06cee956610c16951372
SHA256a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeFilesize
603KB
MD5dac91ccf0929071e9db5b75be0f6a3a6
SHA1466b804c1c95145f7a5d06cee956610c16951372
SHA256a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69
-
\Users\Admin\AppData\Local\Temp\Y4ND5C6.exeFilesize
603KB
MD5dac91ccf0929071e9db5b75be0f6a3a6
SHA1466b804c1c95145f7a5d06cee956610c16951372
SHA256a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69
-
memory/700-77-0x0000000000000000-mapping.dmp
-
memory/1076-76-0x0000000000000000-mapping.dmp
-
memory/1120-66-0x0000000000000000-mapping.dmp
-
memory/1120-72-0x0000000002070000-0x00000000020AA000-memory.dmpFilesize
232KB
-
memory/1244-64-0x0000000000000000-mapping.dmp
-
memory/1504-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmpFilesize
8KB
-
memory/1504-63-0x0000000001B80000-0x0000000001BBB000-memory.dmpFilesize
236KB
-
memory/1504-59-0x0000000001E60000-0x0000000001E9A000-memory.dmpFilesize
232KB
-
memory/1504-55-0x0000000001BC0000-0x0000000001BFD000-memory.dmpFilesize
244KB
-
memory/1548-65-0x0000000000000000-mapping.dmp
-
memory/1576-87-0x0000000001D50000-0x0000000001D8A000-memory.dmpFilesize
232KB
-
memory/1576-79-0x0000000000000000-mapping.dmp
-
memory/1580-91-0x0000000000000000-mapping.dmp
-
memory/1832-92-0x0000000000000000-mapping.dmp
-
memory/1908-94-0x0000000000000000-mapping.dmp
-
memory/1908-101-0x0000000001F20000-0x0000000001F5A000-memory.dmpFilesize
232KB