Analysis
-
max time kernel
154s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 19:30
Static task
static1
Behavioral task
behavioral1
Sample
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
Resource
win10v2004-20220414-en
General
-
Target
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
-
Size
550KB
-
MD5
aa569a58ad06c7cbdb4587f0915bee26
-
SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d
-
SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
-
SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1156-54-0x0000000001CC0000-0x0000000001D04000-memory.dmp BazarLoaderVar1 behavioral1/memory/1156-58-0x0000000001F00000-0x0000000001F41000-memory.dmp BazarLoaderVar1 behavioral1/memory/1156-63-0x0000000001C70000-0x0000000001CB1000-memory.dmp BazarLoaderVar1 behavioral1/memory/592-71-0x0000000001E50000-0x0000000001E91000-memory.dmp BazarLoaderVar1 behavioral1/memory/276-86-0x0000000002000000-0x0000000002041000-memory.dmp BazarLoaderVar1 behavioral1/memory/992-100-0x0000000001C60000-0x0000000001CA1000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
Processes:
TAFC553.exeTAFC553.exepid process 276 TAFC553.exe 992 TAFC553.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.execmd.exepid process 640 cmd.exe 1248 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
TAFC553.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\QAJ9JCNB = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v TTV616PH9MI /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TAFC553.exe\\\" TXBLBH\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TAFC553.exe\" TXBLBH" TAFC553.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1540 PING.EXE 1648 PING.EXE 1880 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exepid process 1156 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exeTAFC553.exeTAFC553.exepid process 1156 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe 592 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe 276 TAFC553.exe 992 TAFC553.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.execmd.exe1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.execmd.exeTAFC553.execmd.exedescription pid process target process PID 1156 wrote to memory of 1608 1156 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe cmd.exe PID 1156 wrote to memory of 1608 1156 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe cmd.exe PID 1156 wrote to memory of 1608 1156 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe cmd.exe PID 1608 wrote to memory of 1540 1608 cmd.exe PING.EXE PID 1608 wrote to memory of 1540 1608 cmd.exe PING.EXE PID 1608 wrote to memory of 1540 1608 cmd.exe PING.EXE PID 1608 wrote to memory of 592 1608 cmd.exe 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe PID 1608 wrote to memory of 592 1608 cmd.exe 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe PID 1608 wrote to memory of 592 1608 cmd.exe 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe PID 592 wrote to memory of 640 592 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe cmd.exe PID 592 wrote to memory of 640 592 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe cmd.exe PID 592 wrote to memory of 640 592 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe cmd.exe PID 640 wrote to memory of 1648 640 cmd.exe PING.EXE PID 640 wrote to memory of 1648 640 cmd.exe PING.EXE PID 640 wrote to memory of 1648 640 cmd.exe PING.EXE PID 640 wrote to memory of 276 640 cmd.exe TAFC553.exe PID 640 wrote to memory of 276 640 cmd.exe TAFC553.exe PID 640 wrote to memory of 276 640 cmd.exe TAFC553.exe PID 276 wrote to memory of 1248 276 TAFC553.exe cmd.exe PID 276 wrote to memory of 1248 276 TAFC553.exe cmd.exe PID 276 wrote to memory of 1248 276 TAFC553.exe cmd.exe PID 1248 wrote to memory of 1880 1248 cmd.exe PING.EXE PID 1248 wrote to memory of 1880 1248 cmd.exe PING.EXE PID 1248 wrote to memory of 1880 1248 cmd.exe PING.EXE PID 1248 wrote to memory of 992 1248 cmd.exe TAFC553.exe PID 1248 wrote to memory of 992 1248 cmd.exe TAFC553.exe PID 1248 wrote to memory of 992 1248 cmd.exe TAFC553.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe"C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe W3HW2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exeC:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe W3HW3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\TAFC553.exe AYJX84⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\TAFC553.exeC:\Users\Admin\AppData\Local\Temp\TAFC553.exe AYJX85⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\TAFC553.exe TXBLBH6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TAFC553.exeC:\Users\Admin\AppData\Local\Temp\TAFC553.exe TXBLBH7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 21⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TAFC553.exeFilesize
550KB
MD5aa569a58ad06c7cbdb4587f0915bee26
SHA19eea511d098b34a284508f45e69e3fe67fd74f8d
SHA2561de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA5124c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
-
C:\Users\Admin\AppData\Local\Temp\TAFC553.exeFilesize
550KB
MD5aa569a58ad06c7cbdb4587f0915bee26
SHA19eea511d098b34a284508f45e69e3fe67fd74f8d
SHA2561de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA5124c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
-
C:\Users\Admin\AppData\Local\Temp\TAFC553.exeFilesize
550KB
MD5aa569a58ad06c7cbdb4587f0915bee26
SHA19eea511d098b34a284508f45e69e3fe67fd74f8d
SHA2561de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA5124c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
-
\Users\Admin\AppData\Local\Temp\TAFC553.exeFilesize
550KB
MD5aa569a58ad06c7cbdb4587f0915bee26
SHA19eea511d098b34a284508f45e69e3fe67fd74f8d
SHA2561de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA5124c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
-
\Users\Admin\AppData\Local\Temp\TAFC553.exeFilesize
550KB
MD5aa569a58ad06c7cbdb4587f0915bee26
SHA19eea511d098b34a284508f45e69e3fe67fd74f8d
SHA2561de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA5124c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
-
memory/276-79-0x0000000000000000-mapping.dmp
-
memory/276-86-0x0000000002000000-0x0000000002041000-memory.dmpFilesize
260KB
-
memory/592-71-0x0000000001E50000-0x0000000001E91000-memory.dmpFilesize
260KB
-
memory/592-66-0x0000000000000000-mapping.dmp
-
memory/640-76-0x0000000000000000-mapping.dmp
-
memory/992-100-0x0000000001C60000-0x0000000001CA1000-memory.dmpFilesize
260KB
-
memory/992-94-0x0000000000000000-mapping.dmp
-
memory/1156-54-0x0000000001CC0000-0x0000000001D04000-memory.dmpFilesize
272KB
-
memory/1156-63-0x0000000001C70000-0x0000000001CB1000-memory.dmpFilesize
260KB
-
memory/1156-58-0x0000000001F00000-0x0000000001F41000-memory.dmpFilesize
260KB
-
memory/1248-91-0x0000000000000000-mapping.dmp
-
memory/1540-65-0x0000000000000000-mapping.dmp
-
memory/1608-64-0x0000000000000000-mapping.dmp
-
memory/1648-77-0x0000000000000000-mapping.dmp
-
memory/1880-92-0x0000000000000000-mapping.dmp