Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-07-2022 09:43
Static task
static1
Behavioral task
behavioral1
Sample
7f3bcbb3e8080ac75f7bba326a23c54f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
7f3bcbb3e8080ac75f7bba326a23c54f.exe
Resource
win10v2004-20220414-en
General
-
Target
7f3bcbb3e8080ac75f7bba326a23c54f.exe
-
Size
479KB
-
MD5
7f3bcbb3e8080ac75f7bba326a23c54f
-
SHA1
e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
-
SHA256
3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
-
SHA512
da60459af98161122eac4830c9017d1161d8fb6c4c6f65c0abd0e40cc536131678810943fc4c048110f0a2e7be0bff7d9de0c00589aa6f8e61fefe99a872b966
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
suricata: ET MALWARE BazaLoader Activity (GET)
suricata: ET MALWARE BazaLoader Activity (GET)
-
suricata: ET MALWARE Win32/BazarLoader Activity (GET)
suricata: ET MALWARE Win32/BazarLoader Activity (GET)
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4116-130-0x0000000002C60000-0x0000000002C8F000-memory.dmp BazarLoaderVar5 behavioral2/memory/4116-138-0x0000000002A20000-0x0000000002A47000-memory.dmp BazarLoaderVar5 behavioral2/memory/1136-139-0x0000000001420000-0x000000000144F000-memory.dmp BazarLoaderVar5 -
Tries to connect to .bazar domain 8 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 61 reddew28c.bazar 63 bluehail.bazar 64 bluehail.bazar 66 whitestorm9p.bazar 67 whitestorm9p.bazar 55 blackrain15.bazar 56 blackrain15.bazar 60 reddew28c.bazar -
Unexpected DNS network traffic destination 8 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 134.195.4.2 Destination IP 88.198.92.222 Destination IP 88.198.92.222 Destination IP 88.198.92.222 Destination IP 134.195.4.2 Destination IP 134.195.4.2 Destination IP 134.195.4.2 Destination IP 88.198.92.222 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
7f3bcbb3e8080ac75f7bba326a23c54f.exepid process 4116 7f3bcbb3e8080ac75f7bba326a23c54f.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
7f3bcbb3e8080ac75f7bba326a23c54f.exe7f3bcbb3e8080ac75f7bba326a23c54f.exepid process 4116 7f3bcbb3e8080ac75f7bba326a23c54f.exe 4116 7f3bcbb3e8080ac75f7bba326a23c54f.exe 1136 7f3bcbb3e8080ac75f7bba326a23c54f.exe 1136 7f3bcbb3e8080ac75f7bba326a23c54f.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7f3bcbb3e8080ac75f7bba326a23c54f.exedescription pid process target process PID 4116 wrote to memory of 1136 4116 7f3bcbb3e8080ac75f7bba326a23c54f.exe 7f3bcbb3e8080ac75f7bba326a23c54f.exe PID 4116 wrote to memory of 1136 4116 7f3bcbb3e8080ac75f7bba326a23c54f.exe 7f3bcbb3e8080ac75f7bba326a23c54f.exe PID 4116 wrote to memory of 1136 4116 7f3bcbb3e8080ac75f7bba326a23c54f.exe 7f3bcbb3e8080ac75f7bba326a23c54f.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f3bcbb3e8080ac75f7bba326a23c54f.exe"C:\Users\Admin\AppData\Local\Temp\7f3bcbb3e8080ac75f7bba326a23c54f.exe"1⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7f3bcbb3e8080ac75f7bba326a23c54f.exe"C:\Users\Admin\AppData\Local\Temp\7f3bcbb3e8080ac75f7bba326a23c54f.exe"2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-137-0x0000000000000000-mapping.dmp
-
memory/1136-139-0x0000000001420000-0x000000000144F000-memory.dmpFilesize
188KB
-
memory/4116-130-0x0000000002C60000-0x0000000002C8F000-memory.dmpFilesize
188KB
-
memory/4116-138-0x0000000002A20000-0x0000000002A47000-memory.dmpFilesize
156KB