General
Target

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

Filesize

517KB

Completed

17-04-2022 10:10

Task

behavioral2

Score
10/10
MD5

743d977bc5f5fdfe91819c3b9490933c

SHA1

03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512

dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Malware Config

Extracted

Family

bazarloader

C2

195.123.241.204

89.32.41.191

Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • Bazar Loader

    Description

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/3580-130-0x0000000002130000-0x000000000217A000-memory.dmpBazarLoaderVar1
    behavioral2/memory/3580-134-0x0000000002190000-0x00000000021D7000-memory.dmpBazarLoaderVar1
    behavioral2/memory/3580-139-0x0000000000500000-0x0000000000548000-memory.dmpBazarLoaderVar1
    behavioral2/memory/4800-147-0x00000000021C0000-0x0000000002207000-memory.dmpBazarLoaderVar1
    behavioral2/memory/3680-174-0x0000000002170000-0x00000000021B7000-memory.dmpBazarLoaderVar1
  • Executes dropped EXE
    GGH516C.exeGGH516C.exe

    Reported IOCs

    pidprocess
    1992GGH516C.exe
    3680GGH516C.exe
  • Adds Run key to start application
    GGH516C.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\M6BWVBCM8G = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v Q6SDKNFVE /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GGH516C.exe\\\" OEZE\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GGH516C.exe\" OEZE"GGH516C.exe
  • Runs ping.exe
    PING.EXEPING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    3980PING.EXE
    4340PING.EXE
    3484PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

    Reported IOCs

    pidprocess
    358063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    358063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
  • Suspicious use of SetWindowsHookEx
    63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exeGGH516C.exeGGH516C.exe

    Reported IOCs

    pidprocess
    358063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    480063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    1992GGH516C.exe
    3680GGH516C.exe
  • Suspicious use of WriteProcessMemory
    63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exeGGH516C.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3580 wrote to memory of 4756358063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 3580 wrote to memory of 4756358063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 4756 wrote to memory of 39804756cmd.exePING.EXE
    PID 4756 wrote to memory of 39804756cmd.exePING.EXE
    PID 4756 wrote to memory of 48004756cmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    PID 4756 wrote to memory of 48004756cmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    PID 4800 wrote to memory of 3880480063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 4800 wrote to memory of 3880480063c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe
    PID 3880 wrote to memory of 43403880cmd.exePING.EXE
    PID 3880 wrote to memory of 43403880cmd.exePING.EXE
    PID 3880 wrote to memory of 19923880cmd.exeGGH516C.exe
    PID 3880 wrote to memory of 19923880cmd.exeGGH516C.exe
    PID 1992 wrote to memory of 49201992GGH516C.execmd.exe
    PID 1992 wrote to memory of 49201992GGH516C.execmd.exe
    PID 4920 wrote to memory of 34844920cmd.exePING.EXE
    PID 4920 wrote to memory of 34844920cmd.exePING.EXE
    PID 4920 wrote to memory of 36804920cmd.exeGGH516C.exe
    PID 4920 wrote to memory of 36804920cmd.exeGGH516C.exe
Processes 10
  • C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
    "C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe GPHG62
      Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\system32\PING.EXE
        ping 8.8.8.8 -n 2
        Runs ping.exe
        PID:3980
      • C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
        C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe GPHG62
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        PID:4800
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\GGH516C.exe TV25O48
          Suspicious use of WriteProcessMemory
          PID:3880
          • C:\Windows\system32\PING.EXE
            ping 8.8.8.8 -n 2
            Runs ping.exe
            PID:4340
          • C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
            C:\Users\Admin\AppData\Local\Temp\GGH516C.exe TV25O48
            Executes dropped EXE
            Adds Run key to start application
            Suspicious use of SetWindowsHookEx
            Suspicious use of WriteProcessMemory
            PID:1992
            • C:\Windows\SYSTEM32\cmd.exe
              cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\GGH516C.exe OEZE
              Suspicious use of WriteProcessMemory
              PID:4920
              • C:\Windows\system32\PING.EXE
                ping 8.8.8.8 -n 2
                Runs ping.exe
                PID:3484
              • C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
                C:\Users\Admin\AppData\Local\Temp\GGH516C.exe OEZE
                Executes dropped EXE
                Suspicious use of SetWindowsHookEx
                PID:3680
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Temp\GGH516C.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                    • C:\Users\Admin\AppData\Local\Temp\GGH516C.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                    • C:\Users\Admin\AppData\Local\Temp\GGH516C.exe

                      MD5

                      743d977bc5f5fdfe91819c3b9490933c

                      SHA1

                      03142bb3481ba4d7ef874f98b1f7af21be4398db

                      SHA256

                      63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

                      SHA512

                      dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

                    • memory/1992-154-0x0000000000000000-mapping.dmp

                    • memory/3484-167-0x0000000000000000-mapping.dmp

                    • memory/3580-139-0x0000000000500000-0x0000000000548000-memory.dmp

                    • memory/3580-134-0x0000000002190000-0x00000000021D7000-memory.dmp

                    • memory/3580-130-0x0000000002130000-0x000000000217A000-memory.dmp

                    • memory/3680-168-0x0000000000000000-mapping.dmp

                    • memory/3680-174-0x0000000002170000-0x00000000021B7000-memory.dmp

                    • memory/3880-152-0x0000000000000000-mapping.dmp

                    • memory/3980-141-0x0000000000000000-mapping.dmp

                    • memory/4340-153-0x0000000000000000-mapping.dmp

                    • memory/4756-140-0x0000000000000000-mapping.dmp

                    • memory/4800-147-0x00000000021C0000-0x0000000002207000-memory.dmp

                    • memory/4800-142-0x0000000000000000-mapping.dmp

                    • memory/4920-166-0x0000000000000000-mapping.dmp