bazarloader | f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

General

Target

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
Size

76KB
MD5

5e13bc98285bd873d1053bbcee71f3f6
SHA1

1d3b3a616ceaeed0554ccbd99d9addca97592ab3
SHA256

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37
SHA512

d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

DVTCDCF.exeDVTCDCF.exe

pid process

4184 DVTCDCF.exe
3544 DVTCDCF.exe

pid	process
4184	DVTCDCF.exe
3544	DVTCDCF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

DVTCDCF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NZV11Y1RJ61 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v NFJZPYCL /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DVTCDCF.exe\\\" FMGTW\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\DVTCDCF.exe\" FMGTW"	DVTCDCF.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3148 PING.EXE
4408 PING.EXE
1828 PING.EXE

pid	process
3148	PING.EXE
4408	PING.EXE
1828	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe

pid	process
904	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
904	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.execmd.exef138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.execmd.exeDVTCDCF.execmd.exe

description	pid	process	target process
PID 904 wrote to memory of 4260	904	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 904 wrote to memory of 4260	904	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 4260 wrote to memory of 4408	4260	cmd.exe	PING.EXE
PID 4260 wrote to memory of 4408	4260	cmd.exe	PING.EXE
PID 4260 wrote to memory of 4300	4260	cmd.exe	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
PID 4260 wrote to memory of 4300	4260	cmd.exe	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
PID 4300 wrote to memory of 1528	4300	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 4300 wrote to memory of 1528	4300	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 1528 wrote to memory of 1828	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 1828	1528	cmd.exe	PING.EXE
PID 1528 wrote to memory of 4184	1528	cmd.exe	DVTCDCF.exe
PID 1528 wrote to memory of 4184	1528	cmd.exe	DVTCDCF.exe
PID 4184 wrote to memory of 444	4184	DVTCDCF.exe	cmd.exe
PID 4184 wrote to memory of 444	4184	DVTCDCF.exe	cmd.exe
PID 444 wrote to memory of 3148	444	cmd.exe	PING.EXE
PID 444 wrote to memory of 3148	444	cmd.exe	PING.EXE
PID 444 wrote to memory of 3544	444	cmd.exe	DVTCDCF.exe
PID 444 wrote to memory of 3544	444	cmd.exe	DVTCDCF.exe

C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
"C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe HQN7PFS
2⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:4408

C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe HQN7PFS
3⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe S75RDQ
4⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:1828

C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe S75RDQ
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe FMGTW
6⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:3148

C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe FMGTW
7⤵
- Executes dropped EXE
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
memory/444-138-0x0000000000000000-mapping.dmp

Download
memory/1528-133-0x0000000000000000-mapping.dmp

Download
memory/1828-134-0x0000000000000000-mapping.dmp

Download
memory/3148-139-0x0000000000000000-mapping.dmp

Download
memory/3544-140-0x0000000000000000-mapping.dmp

Download
memory/4184-135-0x0000000000000000-mapping.dmp

Download
memory/4260-130-0x0000000000000000-mapping.dmp

Download
memory/4300-132-0x0000000000000000-mapping.dmp

Download
memory/4408-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads