Behavioral Report

max time kernel135s
max time network154s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted17-04-2022 09:04

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

Filesize

517KB

Completed

17-04-2022 10:10

Task

behavioral2

Score

10^/10

MD5

743d977bc5f5fdfe91819c3b9490933c

SHA1

03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512

dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

bazarloader dropper loader persistence

Extracted

Family	bazarloader
C2	195.123.241.204 89.32.41.191 195.123.241.204 89.32.41.191

Defense Evasion

Discovery

Persistence

Bazar Loader

Description

Detected loader normally used to deploy BazarBackdoor malware.

Tags

loader dropper bazarloader

Bazar/Team9 Loader payload

Reported IOCs

resource	yara_rule
behavioral2/memory/3580-130-0x0000000002130000-0x000000000217A000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3580-134-0x0000000002190000-0x00000000021D7000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3580-139-0x0000000000500000-0x0000000000548000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4800-147-0x00000000021C0000-0x0000000002207000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3680-174-0x0000000002170000-0x00000000021B7000-memory.dmp	BazarLoaderVar1

Executes dropped EXE
GGH516C.exeGGH516C.exe

Reported IOCs

pid process

1992 GGH516C.exe
3680 GGH516C.exe

pid	process
1992	GGH516C.exe
3680	GGH516C.exe

Adds Run key to start application

GGH516C.exe

TTPs

Registry Run Keys / Startup FolderModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\M6BWVBCM8G = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v Q6SDKNFVE /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GGH516C.exe\\\" OEZE\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GGH516C.exe\" OEZE"	GGH516C.exe

Runs ping.exe
PING.EXEPING.EXEPING.EXE

TTPs

Remote System Discovery

Reported IOCs

pid process

3980 PING.EXE
4340 PING.EXE
3484 PING.EXE

pid	process
3980	PING.EXE
4340	PING.EXE
3484	PING.EXE

Suspicious behavior: EnumeratesProcesses

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

Reported IOCs

pid	process
3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

Suspicious use of SetWindowsHookEx

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exeGGH516C.exeGGH516C.exe

Reported IOCs

pid	process
3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
4800	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
1992	GGH516C.exe
3680	GGH516C.exe

Suspicious use of WriteProcessMemory

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exeGGH516C.execmd.exe

Reported IOCs

description	pid	process	target process
PID 3580 wrote to memory of 4756	3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 3580 wrote to memory of 4756	3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 4756 wrote to memory of 3980	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 3980	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 4800	4756	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 4756 wrote to memory of 4800	4756	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 4800 wrote to memory of 3880	4800	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 4800 wrote to memory of 3880	4800	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 3880 wrote to memory of 4340	3880	cmd.exe	PING.EXE
PID 3880 wrote to memory of 4340	3880	cmd.exe	PING.EXE
PID 3880 wrote to memory of 1992	3880	cmd.exe	GGH516C.exe
PID 3880 wrote to memory of 1992	3880	cmd.exe	GGH516C.exe
PID 1992 wrote to memory of 4920	1992	GGH516C.exe	cmd.exe
PID 1992 wrote to memory of 4920	1992	GGH516C.exe	cmd.exe
PID 4920 wrote to memory of 3484	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 3484	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 3680	4920	cmd.exe	GGH516C.exe
PID 4920 wrote to memory of 3680	4920	cmd.exe	GGH516C.exe

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

"C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:3580

C:\Windows\SYSTEM32\cmd.exe

cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe GPHG62

Suspicious use of WriteProcessMemory

PID:4756

C:\Windows\system32\PING.EXE

ping 8.8.8.8 -n 2

Runs ping.exe

PID:3980

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe GPHG62

Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:4800

C:\Windows\SYSTEM32\cmd.exe

cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\GGH516C.exe TV25O48

Suspicious use of WriteProcessMemory

PID:3880

C:\Windows\system32\PING.EXE

ping 8.8.8.8 -n 2

Runs ping.exe

PID:4340

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe TV25O48

Executes dropped EXE
Adds Run key to start application
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1992

C:\Windows\SYSTEM32\cmd.exe

cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\GGH516C.exe OEZE

Suspicious use of WriteProcessMemory

PID:4920

C:\Windows\system32\PING.EXE

ping 8.8.8.8 -n 2

Runs ping.exe

PID:3484

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe OEZE

Executes dropped EXE
Suspicious use of SetWindowsHookEx

PID:3680

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Remote System Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
memory/1992-154-0x0000000000000000-mapping.dmp

Download
memory/3484-167-0x0000000000000000-mapping.dmp

Download
memory/3580-139-0x0000000000500000-0x0000000000548000-memory.dmp

Download
memory/3580-134-0x0000000002190000-0x00000000021D7000-memory.dmp

Download
memory/3580-130-0x0000000002130000-0x000000000217A000-memory.dmp

Download
memory/3680-168-0x0000000000000000-mapping.dmp

Download
memory/3680-174-0x0000000002170000-0x00000000021B7000-memory.dmp

Download
memory/3880-152-0x0000000000000000-mapping.dmp

Download
memory/3980-141-0x0000000000000000-mapping.dmp

Download
memory/4340-153-0x0000000000000000-mapping.dmp

Download
memory/4756-140-0x0000000000000000-mapping.dmp

Download
memory/4800-147-0x00000000021C0000-0x0000000002207000-memory.dmp

Download
memory/4800-142-0x0000000000000000-mapping.dmp

Download
memory/4920-166-0x0000000000000000-mapping.dmp

Download

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Tags

TTPs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title