Analysis

  • max time kernel
    138s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 04:12

General

  • Target

    c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16.exe

  • Size

    245KB

  • MD5

    44bcd26f9a5bdffaec1458ae3ac05e5d

  • SHA1

    5f2ac141932304ca6fd4252d19b54b7ac0769252

  • SHA256

    c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16

  • SHA512

    a6dade5b186371af34db8fce5d278895b4cf3f10f7fe0617ab01315cb67efeca2d20425c24689078ff7e1aefd63a3f11b24ca39ea89d928c1e3bd6f34dc4e115

Malware Config

Signatures

  • Bazar Loader 4 IoCs

    Detected loader normally used to deploy BazarBackdoor malware.

  • Executes dropped EXE 1 IoCs
  • Tries to connect to .bazar domain 3 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Loads dropped DLL 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16.exe
    "C:\Users\Admin\AppData\Local\Temp\c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16.exe"
    1⤵
    • Bazar Loader
    • Modifies system certificate store
    PID:988
  • C:\Windows\system32\cmd.exe
    cmd.exe / c "start "" /b "cmd.exe" /c "copy /y "C:\Users\Admin\AppData\Local\Temp\c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16.exe" "C:\Users\Admin\AppData\Local\Temp\brbkaqvm.exe"&&start "" /b "C:\Users\Admin\AppData\Local\Temp\brbkaqvm.exe" -z {952CDE3F-5FEE-466D-B53E-B76F724F59F9}&&exit 0""
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Users\Admin\AppData\Local\Temp\brbkaqvm.exe
      "C:\Users\Admin\AppData\Local\Temp\brbkaqvm.exe" -z {952CDE3F-5FEE-466D-B53E-B76F724F59F9}
      2⤵
      • Executes dropped EXE
      PID:1528

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\brbkaqvm.exe
    Filesize

    245KB

    MD5

    44bcd26f9a5bdffaec1458ae3ac05e5d

    SHA1

    5f2ac141932304ca6fd4252d19b54b7ac0769252

    SHA256

    c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16

    SHA512

    a6dade5b186371af34db8fce5d278895b4cf3f10f7fe0617ab01315cb67efeca2d20425c24689078ff7e1aefd63a3f11b24ca39ea89d928c1e3bd6f34dc4e115

  • \Users\Admin\AppData\Local\Temp\brbkaqvm.exe
    Filesize

    245KB

    MD5

    44bcd26f9a5bdffaec1458ae3ac05e5d

    SHA1

    5f2ac141932304ca6fd4252d19b54b7ac0769252

    SHA256

    c45e01b4a06640be506fafb3ea3daaa648f2f728e152b1896ba920a902c90d16

    SHA512

    a6dade5b186371af34db8fce5d278895b4cf3f10f7fe0617ab01315cb67efeca2d20425c24689078ff7e1aefd63a3f11b24ca39ea89d928c1e3bd6f34dc4e115

  • memory/988-54-0x0000000000220000-0x0000000000247000-memory.dmp
    Filesize

    156KB

  • memory/988-58-0x0000000180000000-0x000000018002A000-memory.dmp
    Filesize

    168KB

  • memory/988-59-0x00000000001F0000-0x0000000000214000-memory.dmp
    Filesize

    144KB

  • memory/988-60-0x0000000180000000-0x000000018002A000-memory.dmp
    Filesize

    168KB

  • memory/988-61-0x000007FEFB6B1000-0x000007FEFB6B3000-memory.dmp
    Filesize

    8KB

  • memory/1528-63-0x0000000000000000-mapping.dmp
  • memory/1528-70-0x0000000180000000-0x000000018002A000-memory.dmp
    Filesize

    168KB