Analysis
-
max time kernel
152s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 05:13
Static task
static1
Behavioral task
behavioral1
Sample
images.exe
Resource
win7-20220718-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
images.exe
Resource
win10v2004-20220721-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
images.exe
-
Size
290KB
-
MD5
e28ae2f26a165ab891248f17b064f2e7
-
SHA1
8ac67ed569b4675411c54ac05768eefff853854f
-
SHA256
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
-
SHA512
ba26ca25af0f1a5a5d4ec9c7fa1ba64e395d4c0a44b7803399df7dd50497addaa01ebf65d691c1f0a0a87462f0216aea60b9f4a6b3bffdc7c9743dc9e667c5b6
Score
10/10
Malware Config
Extracted
Family
bazarloader
C2
144.217.50.242
5.39.63.103
94.140.113.53
185.163.45.95
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4820 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
images.execmd.exedescription pid process target process PID 3168 wrote to memory of 1596 3168 images.exe cmd.exe PID 3168 wrote to memory of 1596 3168 images.exe cmd.exe PID 1596 wrote to memory of 4820 1596 cmd.exe timeout.exe PID 1596 wrote to memory of 4820 1596 cmd.exe timeout.exe PID 1596 wrote to memory of 3968 1596 cmd.exe images.exe PID 1596 wrote to memory of 3968 1596 cmd.exe images.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\images.exe"C:\Users\Admin\AppData\Local\Temp\images.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c timeout /t 10 /nobreak & start "" "C:\Users\Admin\AppData\Local\Temp\images.exe" ZF3bI6aD VI0rr2aG & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\images.exe"C:\Users\Admin\AppData\Local\Temp\images.exe" ZF3bI6aD VI0rr2aG3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1596-131-0x0000000000000000-mapping.dmp
-
memory/3168-130-0x00007FF41FCE0000-0x00007FF41FCFF000-memory.dmpFilesize
124KB
-
memory/3168-132-0x00007FF41FCE0000-0x00007FF41FCFF000-memory.dmpFilesize
124KB
-
memory/3968-134-0x0000000000000000-mapping.dmp
-
memory/3968-135-0x00007FF473270000-0x00007FF47328F000-memory.dmpFilesize
124KB
-
memory/4820-133-0x0000000000000000-mapping.dmp