bazarbackdoor | be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129 | Triage

Analysis

max time kernel
149s
max time network
88s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-07-2022 03:42

Sharing

Report Analysis Logs

General

Target

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Size

1.7MB
MD5

1bf3dfb666cc4335c040b425e6c3d01a
SHA1

a92cc67625b720d5ded99817d32d6e775a5480e2
SHA256

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129
SHA512

1064a3bcad22b3e9fd281d8fec02f08c72f8564510657caeba50c06173c4ecc73f712f5b2be47aa2e8ba7109b59be249038399313fbc99b31ea9829980f5100e

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/848-56-0x0000000140000000-0x00000001404B5000-memory.dmp	BazarBackdoorVar3
behavioral1/memory/848-58-0x0000000140000000-0x00000001404B5000-memory.dmp	BazarBackdoorVar3

Loads dropped DLL 1 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

pid process

848 be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

description	ioc	process
File opened (read-only)	\??\M:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\O:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\S:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\U:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\V:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\F:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\J:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\G:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\I:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\K:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\L:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\N:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\P:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\A:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\B:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\T:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\X:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\Q:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\R:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\Z:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\E:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\H:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\W:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
File opened (read-only)	\??\Y:	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win64	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

pid	process
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

description	pid	process
Token: SeDebugPrivilege	848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Token: 33	848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
Token: SeIncBasePriorityPrivilege	848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Suspicious use of FindShellTrayWindow 41 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

pid	process
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Suspicious use of SendNotifyMessage 41 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

pid	process
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

pid	process
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
848	be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

C:\Users\Admin\AppData\Local\Temp\be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
"C:\Users\Admin\AppData\Local\Temp\be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\RimeToolData\x64\sqlite3.dll
Filesize
1.9MB

MD5
7bc084895c61622dfc86e9b9904db093

SHA1
f421313979ddfaeb951bc8f7d6a0d89c63d2bb3c

SHA256
75d6bdc2ce9e0e718f99897910bfadeaac3d8d7cf2f08ddc4129f7441a525079

SHA512
6e4cfdae9e4d1f88e5b6d82c8e658cdfdcefdde47d6834c9dc18b7ba9499aca1a868c58ec4e36efb1856ba65f0fd8cc1ace1662d235cec6dfa7c0e0b5251de67

Download Submit
memory/848-54-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

Filesize
8KB

Download
memory/848-55-0x000000000062A000-0x000000000063B000-memory.dmp

Filesize
68KB

Download
memory/848-56-0x0000000140000000-0x00000001404B5000-memory.dmp

Filesize
4.7MB

Download
memory/848-58-0x0000000140000000-0x00000001404B5000-memory.dmp

Filesize
4.7MB

Download