Analysis
-
max time kernel
147s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-05-2022 21:43
Static task
static1
Behavioral task
behavioral1
Sample
fileman.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fileman.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
fileman.dll
-
Size
213KB
-
MD5
6f3be0dfe6b5971b16464b7924772445
-
SHA1
8af5e975c00f5bdbd843f644a60adbb5f8da8a0d
-
SHA256
b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb
-
SHA512
a1a8d49ec7610c37284a2e9f7409f1f93343c7d9c676985b9a3759388835880e7e376451e89294654cb4fc0f6c6386876896da50347c8bc4a98b80b1825cd5ef
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ew5cE3XM7fa6er4oU6h = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fileman.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 4912 rundll32.exe 4912 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.execmd.exerundll32.execmd.execmd.exedescription pid process target process PID 2628 wrote to memory of 4228 2628 rundll32.exe cmd.exe PID 2628 wrote to memory of 4228 2628 rundll32.exe cmd.exe PID 4228 wrote to memory of 3444 4228 cmd.exe PING.EXE PID 4228 wrote to memory of 3444 4228 cmd.exe PING.EXE PID 4228 wrote to memory of 4912 4228 cmd.exe rundll32.exe PID 4228 wrote to memory of 4912 4228 cmd.exe rundll32.exe PID 4912 wrote to memory of 888 4912 rundll32.exe cmd.exe PID 4912 wrote to memory of 888 4912 rundll32.exe cmd.exe PID 888 wrote to memory of 1952 888 cmd.exe reg.exe PID 888 wrote to memory of 1952 888 cmd.exe reg.exe PID 4912 wrote to memory of 2016 4912 rundll32.exe cmd.exe PID 4912 wrote to memory of 2016 4912 rundll32.exe cmd.exe PID 2016 wrote to memory of 2160 2016 cmd.exe choice.exe PID 2016 wrote to memory of 2160 2016 cmd.exe choice.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fileman.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 10 -4 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 ZF3bI6aD VI0rr2aG & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 10 -4 -w 10003⤵
- Runs ping.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 ZF3bI6aD VI0rr2aG3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ew5cE3XM7fa6er4oU6h /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\fileman.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ew5cE3XM7fa6er4oU6h /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\fileman.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"5⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\system32\cmd.execmd /c choice /c y /d y /t 8 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6 & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /d y /t 85⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/888-135-0x0000000000000000-mapping.dmp
-
memory/1952-136-0x0000000000000000-mapping.dmp
-
memory/2016-137-0x0000000000000000-mapping.dmp
-
memory/2160-138-0x0000000000000000-mapping.dmp
-
memory/2628-130-0x0000024CA92B0000-0x0000024CA92D0000-memory.dmpFilesize
128KB
-
memory/3444-132-0x0000000000000000-mapping.dmp
-
memory/4228-131-0x0000000000000000-mapping.dmp
-
memory/4912-133-0x0000000000000000-mapping.dmp
-
memory/4912-134-0x000002AAA9D50000-0x000002AAA9D70000-memory.dmpFilesize
128KB