Analysis
-
max time kernel
4294180s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
11-04-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
fileman.dll
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fileman.dll
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
fileman.dll
-
Size
213KB
-
MD5
6f3be0dfe6b5971b16464b7924772445
-
SHA1
8af5e975c00f5bdbd843f644a60adbb5f8da8a0d
-
SHA256
b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb
-
SHA512
a1a8d49ec7610c37284a2e9f7409f1f93343c7d9c676985b9a3759388835880e7e376451e89294654cb4fc0f6c6386876896da50347c8bc4a98b80b1825cd5ef
Score
10/10
Malware Config
Extracted
Family
bazarloader
C2
148.163.42.213
5.255.102.10
188.127.235.177
23.160.193.221
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 2032 wrote to memory of 764 2032 rundll32.exe cmd.exe PID 2032 wrote to memory of 764 2032 rundll32.exe cmd.exe PID 2032 wrote to memory of 764 2032 rundll32.exe cmd.exe PID 764 wrote to memory of 1820 764 cmd.exe PING.EXE PID 764 wrote to memory of 1820 764 cmd.exe PING.EXE PID 764 wrote to memory of 1820 764 cmd.exe PING.EXE PID 764 wrote to memory of 1144 764 cmd.exe rundll32.exe PID 764 wrote to memory of 1144 764 cmd.exe rundll32.exe PID 764 wrote to memory of 1144 764 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fileman.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 192.0.2.78 -n 7 -4 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 wD6bUqfE kO5rG7fD & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 192.0.2.78 -n 7 -4 -w 10003⤵
- Runs ping.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 wD6bUqfE kO5rG7fD3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/764-55-0x0000000000000000-mapping.dmp
-
memory/1144-57-0x0000000000000000-mapping.dmp
-
memory/1144-58-0x0000000001B00000-0x0000000001B20000-memory.dmpFilesize
128KB
-
memory/1820-56-0x0000000000000000-mapping.dmp
-
memory/2032-54-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB