bazarloader | 82a8df3ffd979fb159bf88ba6f17ae736d9b4d6a5f7f4d0722ccdc23b93677f0 | Triage

Analysis

max time kernel
118s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
30-03-2022 07:14

Sharing

Report Analysis Logs

General

Target

cd8c6dcf792f0677ca7c8f821c88b6938c38f709c096096ff1babfa504b39cf0.dll
Size

711KB
MD5

fa51cc2f2325505d225cea202e2ea405
SHA1

f27f9ee5ad9b48dbcfe5750d2b304eda0ff72024
SHA256

cd8c6dcf792f0677ca7c8f821c88b6938c38f709c096096ff1babfa504b39cf0
SHA512

9abe97ff4723d07a7a8bc15ed22840f7a358ba74d855822c3b34b28a3987a5ca163a623742ef5fccdfb2dba109c2a4edee74830fa3e8dcca3a0218dd2b0becae

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Family

bazarloader

C2

reddew28c.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1720-134-0x00000204D5BF0000-0x00000204D5C1B000-memory.dmp	BazarLoaderVar6

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4156 4640 WerFault.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006C4A871EE = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000006328a96bcd52efbdfe14bed7a92cefb54929d1fcdcbc1e510fd819c3db26aa03000000000e8000000002000020000000767ca89c805f8d308874dbd7b7464dd8d0ddb107b2d00553807e460329b580f2800000004b6496baac7b3a18fc9c71848eff168c016e83b7fcf6e997e320699f85aac4d627eed34e4485500aa596654ba76ee578f0c77424ee274d4bef5891308fd6325f26d60975c881a64f2b2007b2cdda89b027fe48924b88a46ad4767a20b3b26b3b25ce827e6b927229e6c8d9bb66650bbbeb112e78e158e21924e954edab8eaea1400000008fc46cad51690fb64c824ccd8323f9cbece0c7133f912e7db794fcef913028dd6c1f69e597f4dd4ff8f8124f2fa6bda3fecb497248a1e74a7c647fe5a1a64274	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000e8db99e9183775443e412d8da7986d50bd84108d4f2efb2b46faefc6ff81095c000000000e80000000020000200000003caaac0025435df9e9202f9d583b0ac2c725067dd9ee69d09d2fe3b8e5a1b2a9100d00005f34cd9cebadef5f10ded3f7975eed7bced957eed0a8a4cae72d3cb1546cc0b0897e790dc6c352514d996f9536e13fa26d4f563c009485824ab3497b5c5353188a15979a45e4a1c03fe148cace758c2445c65b15a91b67518efc06bc4925e5f5fa443488397a6cd38dc8d02e400cc0359a8ae0b87a2001e349142ec7020fbf8f4e10cfd23c05c212abd10ba5703a5857b58c93178ced8ef541fc0228bb87c8ba1e88e2f356a74b33a778f5cdad54711ff9c0ad41f38aeab50e27506c74b3ba1b41a722c66520033b3d57dec551994aaf564be76efa5520b2b91fe690c956f3f32a60b9346424157c62e8510bddeb200c2a7afae068f772dc22d8e845377e1449dc2b8f8f2363b989c86d009b15b28d012203d2e652d81316821a7d0b2c30df794b400d9ea3d86b4ac43b2c983b5a6bafeec9b26bbf69dccc0c18154b4abb0e0127b8f7827ceacd23e9e3f7991f4908ce43a08ff62f05ccbf0feb2e506d6031832ec0e92aa641588134f743b4356be576a94e9a5d753cf67db5c83d8a2adbdee457a87631e70860db012aba0892413ecf45f1a2fd4142acae2b98870eb4bb4e6bee9fea62cd3271a5b9f4ded8aafa6447cff9ca4a7c06219ca4bdd96ec2a15bea1b0650fafa065e050e7b3ea0583041805ebef08fc91f5266e75be644c0f2410a9ab0152f97f0f7ff21599c6abbce74e7c718668b46dda49f10b8b124d4b30c58d95c7cdeddca44fb9c00adcbecd01c1f6f2f67476f220a1678f235e9506249b05d82c8f6bcd14ef113c607af70fb271a03c9770de1d5b92619027729d2851de2b8e9796781824bda23f37fc04866c62a3ff8c1f24f300024e0e95323ab806e4874bcbe8dd0d5b12ad4a895709ef9bb9f5ca3eede23f85920d910047f0dda88844b0c4c2a1c52b5fb40cbbea70dd288a11d56139647ed59475c748b3668735bc511e4e337f4a7e5dbf642280c0f3a0ecde7ba8feb1be1bf9f43d6fe92bc5ac3b57de99b8f3f91fcd0b13c8997efd903907758fa65699ebbbe73dd5a2de0e7b41c205eb0e3cf69dd66766699f33fb29589f013370b05b97849454eecf1d68daa18850e7396931a230b89a89d8227c68281ded73096e0b762d210fd335d290da55cdc5ea6f018e0f10829143d1a1f34701e6bfa5f43ca217e243b7e76975610ae70c75e9890632ad22c277e3a22c99ca40f1eda4a799d823f69bf55ad9b19363d943a033daaf1b622e1c1cf7f4f6cecf6cbe26ba8f061e1cf275ee704cc22a413633b0af9a2f1ce36bb929604906d0ad4451c8c63610d1bf23fe9cd3a802db2299fd79bca67cf7a52e8d4f29cffe3afac5c0a962cbbc378cb16a2903216fa3aac0957e97a9702e94c243329f0c515f3364449fdf5ec4129a2119813f1dff1b1467464aea719a347f07d924b5b54636b1d282f76e96f4beaceb935415e331cf8245fa3262413d26fbebbeda5e179641bff72dc77cb717ce73268840f16cce1a3c2bbae9be28d129d3e76b21f3140f5b66e9f8879ef027c9988a827c895a8aade6347ad30d9875043d6d9321712fe607f6b758a8ef10f40121cf184dc3109dcf96f5a0ccbcecb3775650eceaee00fec443dcd85830b5d19e33e1768ab95a135bbf8cd3844d8d6d0eb8f5960717cc3da8252305701cd537750497250e5af2a8dfde09935b0462b8eaf91c5acaaa04617b90f674b52fa927cfd8dffe1bd14acfa7f19cbd762247e7e5e007bf9b9fb28b26c4702fd59e8a49ef015ef344c2456e3dbf5465d6d4f19907b24419d616c5ab2773871965ad2714f6e4107763cbb2fe031985c75c9db86f02f27030aa9da3283d5d0c17e81d868306fa9574512595d7b2eeddfde3bc5319abb03c08f9840d2561bb913642efa7592ed991bd1c0e2453d196b0c85aa510f44406fdb2a96ee1c6249d370285e5b89d0af6803116683bdac834df91b91203f3d08bc692d068bfef23dca8a0f612b101a040fb216f875718ac4290b5a7408368b23a0c59f9f560232901ba19749442026f3ddf4198e945d4693a777b4add005834be8e0ac08eeae9de2cbd55301eb34c1b3465d316c49ecee983c1336b45fd8762c25cf4d2a5f130b1c9b713193a9c5614c1a73520eb765be14e3db5818e2b4d882e198d09359b3dba9c7ef444bb32a704394db6322987723295cef05a5630ccfb0104a1b25c9b5008df022e60a8f5d526000446b8ea469a17b6ae30cc378130fefa39a7cfd546fce9e296398c6fa746c2390ef464aa2b5a92ec7f1db676e48e11800f0e9dd2e97c8d0cbe663a7fdd3d260fcaf53fedd4e8e0426d61bea8fb26be18eb9041e5ffd21d9de874b8813b235d90d27b1087a41030051df3b0963ec2d5e0b8bdef8c91a118c19ba5e3165e9b682b3895c21d3afc720f6f964bf77fb3d7fc433e9718f52f0db34cd914cd8d36efd8406d83e8a9d21ec2678b86e51dba085d8900d640bbb4ea2b8edc5f36d36d465a07a04ea6e5479812560b39fec61d939701210a88c99adba06aa946bb074adfa20107d3de5790a288aa8331c0c63c1c1c206295019a98b794f17c12c047f087c815d1b02bf859ec25f907288f0fe537d3fa812146765a438c4e2c185434bde61de80f2af796e25088e8a04334a176306db6c9e4a3cd06d09c520d5b428df1f03c12db252b1a0a7e857c7dbc88bd5638e81a539b89aa90a7cfef0b7c3561c0048f0deda5dfe398f2d3ef6ee555610fc200e107491d3c4ba876c5d62e9cef0d603090c42c84767cb76c83b1989f60f65f41aa9d708fefda9de4db6d53386c0be124924d035a60670f2abaefe15e0f1863f2877b213a3002660f6842d7e0896aec1fce2624aab7a96058e4e987994b67033fd0fa7762c1b74907d80740c1fe11afe901d9edbe16860146524f272db741709bbeef71317d43e109877f213490cf60224c43c232f00e8baf1c3cdc0b595d497dab0cc7aabe63b2ea7aebe385bb316203c9ab2bb7a92e40deb62127d2eed7ffe72b53208791a1e6935fa50a18523c88f9785d90d63736dfd92c9dc8cd35d27a0914e2097a30d942d2d2ab7f5fed6e1e6bf7bd088858dccca9ec17f9da3533bf04d9268bf5536491b830473d2ddb74e50de38fa8cb56140190e749db927b188ee3ec51e6f9ca476e8688ab1d71ceb9211b6f16215de582e823b5d6730d33cf555f6f23deda976337ab7bbd748dae7236ac2d5e14eaa07c49c418d22b59779a4186919a1982d84c3c881209169377a05f9ad867802fd085e383fdee7d5aef48e016bddb151f7c2bae5d7e5454f8504f2458296fdbaa6831afe680e12a6d0e535b04f90bd9f2690cf9794fa83c0c11c03c286c0f66f0abe7129aeaf6c49c31f142e42ae74f266eb12b5f4735d423af5fefc68834276cc74b1f86bace921682f4d0f276dc6ea71953fa2a03b72706c3f72b08aae053df4103e18e9ed21c853bb1957515a88711bc7f37a34a64d17a083cfd00a2843090537fd1e7ea1c5caa17914f81c825291665ec84d6daf30a679c461eb9b08bf254cfc88a9d3fe9361fe314bc23a23c66da716375e3fb2141bbc294fd674486f43f911b3785dcad0ce2bef38409d1cbbfc5eb642fdcfababd052ad5c40519690365038b37349ff4ac4ec26cf5e2b8bfd78055bb453ef61193e079f2c357d8e3c0cad8c0e0c7804ecf7a633de9ca162fdbe636ce0a1be491489ddcd37cd7dbaa50ba76b7422fd78261d8385b466116ad10ff2bfd9ab9c28364c73f6b108f48b12ed1271cbdcbf9d8d1836ffa07f565460b1564b98e20bb4659d934b30d541d7be78c770c0e0e18c9426980c616a24145647b0cd1fb01aeb76f0a7b36ee9fda93ed1f1ef67177671ab3015bd960e2960713a0ac692c111696b6ab48c7185aa456a18778c2d1e0e89297527573ac4598d7c725ae0a729611a9d5c0702c6efe987280ab0ec25a30b7bc509ef1962956947661fd24f0ba71aa1a7577c8dc8ebbbf5a11cc04f095f93c573d99f2d82436ffdf14a267fa15f0924627c72f17aee1af78220969a26b13fa3979af0a632dd0546bf7a839c51f190c8e4765591cc911ba8ded25fe84c07540a1aa04c7bde02673fd4772a2ad35d28deda9463ca264bae40b3ed479a2df3fd20f744de4043c6ab4e51ac0c112a2324ce5a760146b5fdd97f7201b5fcd45f54e03b631b555adc0ae06dce1d6a5823714181cd4a69d387209e5c2bd3e7a12b6b9af0aab2344e90a93a7ff6e6e830f4f6d4445d67bff650595db5b2a79c80e733ac5b871bffbf0efabf067b006272b1a0e2b47656966ccdd839ab331ee1b2c836e499d7a0ff6cb02f00b2c4e639c484bbe0ea7d8980f40e5a8044cceac67b6d511382d594aadfdee8f2713f3231a3ad400b1fd56a35a2ede0b0e5035d85d8a9a68e0544988426b1ec43be2645659fd07c855c492dfcedf796e55126e55474a278bf36d2dcb843598e4d8e00a13cb23fb835cae4b46c4d67b778a09e92507f929124cc0c56a19f9dfa1e1a56416569ea6368476e7b1cc2b4296d21416ea07f8c54480b50ff977465dba83268a8003524bc1c8b77da58ae5ed0d8361f44318ebf60d624133daf86355cccf01a8be29abd3cf3e2402d8ad116d4962b39e5b9074581c2c9d56452737cca8be54397987d0ce65b92bcb37843749aec0e077303ac58edb2bd646843b035591c9cc7bb06aafa81fbd7125edeac29d782a9628edd09608162e111cb6d057ff51f228356396f081f1d4000000059d6a8afc1e530ae138873f64dc89415658899d8966c4af2544c236cb3214e16f76b7f106f0ba9c8c22897226540cde0684c4f195c741ccac31b9ff232ba35a6	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006C4A871EE"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd8c6dcf792f0677ca7c8f821c88b6938c38f709c096096ff1babfa504b39cf0.dll,#1
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:460

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 4640 -ip 4640
1⤵
PID:4128

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4640 -s 2204
1⤵
- Program crash
PID:4156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1720-134-0x00000204D5BF0000-0x00000204D5C1B000-memory.dmp

Filesize
172KB

Download