Overview

overview

10

Static

static

be022464fe...29.exe

windows7_x64

10

be022464fe...29.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-07-2022 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe

  • Size

    1.7MB

  • MD5

    1bf3dfb666cc4335c040b425e6c3d01a

  • SHA1

    a92cc67625b720d5ded99817d32d6e775a5480e2

  • SHA256

    be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129

  • SHA512

    1064a3bcad22b3e9fd281d8fec02f08c72f8564510657caeba50c06173c4ecc73f712f5b2be47aa2e8ba7109b59be249038399313fbc99b31ea9829980f5100e

Score
10/10
bazarbackdoorbackdoor

Malware Config

Signatures

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe
    "C:\Users\Admin\AppData\Local\Temp\be022464fe5b3a190e5554d7cf974faa2622c0b13ed6551b9c9e83a28c6b8129.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\RimeToolData\x64\sqlite3.dll
    Filesize

    1.9MB

    MD5

    7bc084895c61622dfc86e9b9904db093

    SHA1

    f421313979ddfaeb951bc8f7d6a0d89c63d2bb3c

    SHA256

    75d6bdc2ce9e0e718f99897910bfadeaac3d8d7cf2f08ddc4129f7441a525079

    SHA512

    6e4cfdae9e4d1f88e5b6d82c8e658cdfdcefdde47d6834c9dc18b7ba9499aca1a868c58ec4e36efb1856ba65f0fd8cc1ace1662d235cec6dfa7c0e0b5251de67

    Download Submit
  • C:\Users\Admin\AppData\Roaming\RimeToolData\x64\sqlite3.dll
    Filesize

    1.9MB

    MD5

    7bc084895c61622dfc86e9b9904db093

    SHA1

    f421313979ddfaeb951bc8f7d6a0d89c63d2bb3c

    SHA256

    75d6bdc2ce9e0e718f99897910bfadeaac3d8d7cf2f08ddc4129f7441a525079

    SHA512

    6e4cfdae9e4d1f88e5b6d82c8e658cdfdcefdde47d6834c9dc18b7ba9499aca1a868c58ec4e36efb1856ba65f0fd8cc1ace1662d235cec6dfa7c0e0b5251de67

    Download Submit
  • memory/1812-130-0x0000000140000000-0x00000001404B5000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/1812-134-0x0000000006BD0000-0x0000000006DB2000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1812-135-0x0000000140000000-0x00000001404B5000-memory.dmp
    Filesize

    4.7MB

    Download