Overview

overview

10

Static

static

63c47ac180d0a7...c7.exe

windows7_x64

10

63c47ac180d0a7...c7.exe

windows10-2004_x64

10
General
Target

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

Filesize

517KB

Completed

17-04-2022 10:11

Task

behavioral1

Score
10/10
MD5

743d977bc5f5fdfe91819c3b9490933c

SHA1

03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512

dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Malware Config

Extracted

Family

bazarloader
C2

195.123.241.204

89.32.41.191
Signatures 9

Filter: none

Defense Evasion
Discovery
Persistence
  • Bazar Loader

    Description

    Detected loader normally used to deploy BazarBackdoor malware.

    Tags

  • Bazar/Team9 Loader payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1828-54-0x0000000001BC0000-0x0000000001C0A000-memory.dmpBazarLoaderVar1
    behavioral1/memory/1828-58-0x0000000001C10000-0x0000000001C57000-memory.dmpBazarLoaderVar1
    behavioral1/memory/1828-63-0x0000000000220000-0x0000000000268000-memory.dmpBazarLoaderVar1
    behavioral1/memory/1776-71-0x0000000001FE0000-0x0000000002027000-memory.dmpBazarLoaderVar1
    behavioral1/memory/1608-86-0x0000000002030000-0x0000000002077000-memory.dmpBazarLoaderVar1
    behavioral1/memory/1000-100-0x0000000001F70000-0x0000000001FB7000-memory.dmpBazarLoaderVar1
  • Executes dropped EXE
    QSZ8161.exeQSZ8161.exe

    Reported IOCs

    pidprocess
    1608QSZ8161.exe
    1000QSZ8161.exe
  • Loads dropped DLL
    cmd.execmd.exe

    Reported IOCs

    pidprocess
    1008cmd.exe
    1948cmd.exe
  • Adds Run key to start application
    QSZ8161.exe

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\YAXELDOB = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v KT7FH3YXCRB /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\QSZ8161.exe\\\" KRTV5G\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QSZ8161.exe\" KRTV5G"QSZ8161.exe
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    676PING.EXE
    2036PING.EXE
    864PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

    Reported IOCs

    pidprocess
    182863c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
  • Suspicious use of SetWindowsHookEx
    63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exeQSZ8161.exeQSZ8161.exe

    Reported IOCs

    pidprocess
    182863c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    177663c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    1608QSZ8161.exe
    1000QSZ8161.exe
  • Suspicious use of WriteProcessMemory
    63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exeQSZ8161.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1828 wrote to memory of 1420182863c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 1828 wrote to memory of 1420182863c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 1828 wrote to memory of 1420182863c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 1420 wrote to memory of 20361420cmd.exePING.EXE
    PID 1420 wrote to memory of 20361420cmd.exePING.EXE
    PID 1420 wrote to memory of 20361420cmd.exePING.EXE
    PID 1420 wrote to memory of 17761420cmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    PID 1420 wrote to memory of 17761420cmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    PID 1420 wrote to memory of 17761420cmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    PID 1776 wrote to memory of 1008177663c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 1776 wrote to memory of 1008177663c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 1776 wrote to memory of 1008177663c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 1008 wrote to memory of 8641008cmd.exePING.EXE
    PID 1008 wrote to memory of 8641008cmd.exePING.EXE
    PID 1008 wrote to memory of 8641008cmd.exePING.EXE
    PID 1008 wrote to memory of 16081008cmd.exeQSZ8161.exe
    PID 1008 wrote to memory of 16081008cmd.exeQSZ8161.exe
    PID 1008 wrote to memory of 16081008cmd.exeQSZ8161.exe
    PID 1608 wrote to memory of 19481608QSZ8161.execmd.exe
    PID 1608 wrote to memory of 19481608QSZ8161.execmd.exe
    PID 1608 wrote to memory of 19481608QSZ8161.execmd.exe
    PID 1948 wrote to memory of 6761948cmd.exePING.EXE
    PID 1948 wrote to memory of 6761948cmd.exePING.EXE
    PID 1948 wrote to memory of 6761948cmd.exePING.EXE
    PID 1948 wrote to memory of 10001948cmd.exeQSZ8161.exe
    PID 1948 wrote to memory of 10001948cmd.exeQSZ8161.exe
    PID 1948 wrote to memory of 10001948cmd.exeQSZ8161.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    "C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe G3TU
      Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\PING.EXE
        ping 8.8.8.8 -n 2
        Runs ping.exe
        PID:2036
      • C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
        C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe G3TU
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\system32\cmd.exe
          cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe U2OGF
          Loads dropped DLL
          Suspicious use of WriteProcessMemory
          PID:1008
          • C:\Windows\system32\PING.EXE
            ping 8.8.8.8 -n 2
            Runs ping.exe
            PID:864
          • C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
            C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe U2OGF
            Executes dropped EXE
            Adds Run key to start application
            Suspicious use of SetWindowsHookEx
            Suspicious use of WriteProcessMemory
            PID:1608
            • C:\Windows\system32\cmd.exe
              cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe KRTV5G
              Loads dropped DLL
              Suspicious use of WriteProcessMemory
              PID:1948
              • C:\Windows\system32\PING.EXE
                ping 8.8.8.8 -n 2
                Runs ping.exe
                PID:676
              • C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
                C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe KRTV5G
                Executes dropped EXE
                Suspicious use of SetWindowsHookEx
                PID:1000
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\QSZ8161.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                      Download Submit

                    • \Users\Admin\AppData\Local\Temp\QSZ8161.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                      Download Submit

                    • memory/676-92-0x0000000000000000-mapping.dmp

                      Download

                    • memory/864-77-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1000-94-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1000-100-0x0000000001F70000-0x0000000001FB7000-memory.dmp

                      Download

                    • memory/1008-76-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1420-64-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1608-79-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1608-86-0x0000000002030000-0x0000000002077000-memory.dmp

                      Download

                    • memory/1776-66-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1776-71-0x0000000001FE0000-0x0000000002027000-memory.dmp

                      Download

                    • memory/1828-63-0x0000000000220000-0x0000000000268000-memory.dmp

                      Download

                    • memory/1828-58-0x0000000001C10000-0x0000000001C57000-memory.dmp

                      Download

                    • memory/1828-54-0x0000000001BC0000-0x0000000001C0A000-memory.dmp

                      Download

                    • memory/1948-91-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2036-65-0x0000000000000000-mapping.dmp

                      Download