Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
Resource
win10v2004-20220414-en
General
-
Target
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
-
Size
76KB
-
MD5
5e13bc98285bd873d1053bbcee71f3f6
-
SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3
-
SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37
-
SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe BazarLoaderVar1 C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe BazarLoaderVar1 C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
DVTCDCF.exeDVTCDCF.exepid process 4184 DVTCDCF.exe 3544 DVTCDCF.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DVTCDCF.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\NZV11Y1RJ61 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v NFJZPYCL /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\DVTCDCF.exe\\\" FMGTW\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\DVTCDCF.exe\" FMGTW" DVTCDCF.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3148 PING.EXE 4408 PING.EXE 1828 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exepid process 904 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe 904 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.execmd.exef138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.execmd.exeDVTCDCF.execmd.exedescription pid process target process PID 904 wrote to memory of 4260 904 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe cmd.exe PID 904 wrote to memory of 4260 904 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe cmd.exe PID 4260 wrote to memory of 4408 4260 cmd.exe PING.EXE PID 4260 wrote to memory of 4408 4260 cmd.exe PING.EXE PID 4260 wrote to memory of 4300 4260 cmd.exe f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe PID 4260 wrote to memory of 4300 4260 cmd.exe f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe PID 4300 wrote to memory of 1528 4300 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe cmd.exe PID 4300 wrote to memory of 1528 4300 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe cmd.exe PID 1528 wrote to memory of 1828 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 1828 1528 cmd.exe PING.EXE PID 1528 wrote to memory of 4184 1528 cmd.exe DVTCDCF.exe PID 1528 wrote to memory of 4184 1528 cmd.exe DVTCDCF.exe PID 4184 wrote to memory of 444 4184 DVTCDCF.exe cmd.exe PID 4184 wrote to memory of 444 4184 DVTCDCF.exe cmd.exe PID 444 wrote to memory of 3148 444 cmd.exe PING.EXE PID 444 wrote to memory of 3148 444 cmd.exe PING.EXE PID 444 wrote to memory of 3544 444 cmd.exe DVTCDCF.exe PID 444 wrote to memory of 3544 444 cmd.exe DVTCDCF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe"C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe HQN7PFS2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exeC:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe HQN7PFS3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe S75RDQ4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exeC:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe S75RDQ5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe FMGTW6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exeC:\Users\Admin\AppData\Local\Temp\DVTCDCF.exe FMGTW7⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exeFilesize
76KB
MD55e13bc98285bd873d1053bbcee71f3f6
SHA11d3b3a616ceaeed0554ccbd99d9addca97592ab3
SHA256f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37
SHA512d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a
-
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exeFilesize
76KB
MD55e13bc98285bd873d1053bbcee71f3f6
SHA11d3b3a616ceaeed0554ccbd99d9addca97592ab3
SHA256f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37
SHA512d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a
-
C:\Users\Admin\AppData\Local\Temp\DVTCDCF.exeFilesize
76KB
MD55e13bc98285bd873d1053bbcee71f3f6
SHA11d3b3a616ceaeed0554ccbd99d9addca97592ab3
SHA256f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37
SHA512d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a
-
memory/444-138-0x0000000000000000-mapping.dmp
-
memory/1528-133-0x0000000000000000-mapping.dmp
-
memory/1828-134-0x0000000000000000-mapping.dmp
-
memory/3148-139-0x0000000000000000-mapping.dmp
-
memory/3544-140-0x0000000000000000-mapping.dmp
-
memory/4184-135-0x0000000000000000-mapping.dmp
-
memory/4260-130-0x0000000000000000-mapping.dmp
-
memory/4300-132-0x0000000000000000-mapping.dmp
-
memory/4408-131-0x0000000000000000-mapping.dmp