Overview

overview

10

Static

static

e38af0d79c...f6.exe

windows7-x64

8

e38af0d79c...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    178s
  • max time network
    181s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 05:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e38af0d79c15c641f3856bca0471b6e7205acac3d152816dc6ee8335e2a946f6.exe

  • Size

    772KB

  • MD5

    70b32a8786fff94ddf3dba0c175e4980

  • SHA1

    1a9e9f72ea95df566971c62d05987ca30e1f8a08

  • SHA256

    e38af0d79c15c641f3856bca0471b6e7205acac3d152816dc6ee8335e2a946f6

  • SHA512

    4ae96d2998c04b895e9ecb98638e79803f4308c85d315915653f436bae61fcbac5f4d50528c9668b5835b5d88673106a0ea381361c9671fa5cb1e3cc99c821e4

  • SSDEEP

    24576:2MPTxtWEk5kS6Xq3QEPvrl8rZHty5jux:2aqEy6a3QEPvmxtyS

Score
10/10
bazarbackdoorbackdoordiscoveryevasionspywarestealertrojan

Malware Config

Signatures

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 4 IoCs
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 32 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e38af0d79c15c641f3856bca0471b6e7205acac3d152816dc6ee8335e2a946f6.exe
    "C:\Users\Admin\AppData\Local\Temp\e38af0d79c15c641f3856bca0471b6e7205acac3d152816dc6ee8335e2a946f6.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1844
  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1752
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2864
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:1720
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:3832
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    b28a38c4701489a6013bfb34282f3f70

    SHA1

    ee8960071e9d4d11ae310ce62114d9aebce9711c

    SHA256

    a03dddb0444d28be913f33743cc4deff96d68a01b8688fbe6ca3aecb7a77a029

    SHA512

    c13225e1d48ff655eb0c787175abd1e2fe8318a925e1a3df1b1626416f13ab2596d09d22ffef9329a33e8a2e27f98d44ecfe2b6e49c869170c97a977297665db

    Download Submit
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    788KB

    MD5

    bf1798e4b4d62f9c9ee3b2a13c6639ac

    SHA1

    164b72a907835638e8c8bc41199ed21e0a67d4e5

    SHA256

    04b0883f53698dbb2db1a0861b6d91cb9b88bebb7164e9f30ecbe822821d0f7a

    SHA512

    9ad0b26f387a8d652e222082f977b19db7880089c5b43b5fdbfd371a56f6350e74a14888dc9712ba1359e09486d59590f467acdc9e091efbe6b60e9b2cfd4173

    Download Submit
  • C:\Program Files\7-Zip\7z.exe
    Filesize

    1018KB

    MD5

    42466a0e78355f80892e3c265a28fc6a

    SHA1

    8b8e16f3624597414ca7c0b7cf0ec41e904582d1

    SHA256

    01318727d5a8dbb9e7676e010a6d4782c61c093afe9a336e385b9b8aa2dfad6e

    SHA512

    c1c8c8a159972961affae3989f88ebe736bde586c670d403577a6059a365a14eea5ea5112790b39ac137071e9ff875b28b5ad696bd1745a505d0ff69f1aec5b0

    Download Submit
  • C:\Program Files\7-Zip\7zFM.exe
    Filesize

    1.4MB

    MD5

    62c455924f6ba101211bd539ef86bd03

    SHA1

    bb1fa34c553d34595faa9d768026e8f03064002f

    SHA256

    4a08e4185fc9a073ad311189136f58c790b5f4067cb0145fa6c377653a087d09

    SHA512

    b8c2d0e3d20cdfe1ea7c31cf4e9e2a5464e85a66c2bc380ddb642f8d54d986b57947498a821ef300bf5cd2143b3c6dc8c25a743e4c07a957ad93d50465338306

    Download Submit
  • C:\Program Files\7-Zip\Uninstall.exe
    Filesize

    575KB

    MD5

    498848cfd0409f145adc20653b31b4bf

    SHA1

    40d199cb96aa8fb506ce87fa4ab1c4bc714faa0f

    SHA256

    ebc76dd2f62b9ce26c7126aef9d0b9496c944147eec7cf65424dfc0cb7093432

    SHA512

    dc77e0c2240e9cdf8673bf7c1d208a2c53c43c948e738fcd0db4c6431d5cffccb7ddff1470d8b0e12ad088475019ddcec5df0ac37b7c4573101cccc1d6f75529

    Download Submit
  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    797KB

    MD5

    1505f9da84f04972a2d82c1dfe1b5805

    SHA1

    75e0944f3ac0af0464066326402070fecb81b943

    SHA256

    017fa4a696f6ebddb517b09933e4ef07e9a1e46e4ceab9271866c7aa1eb9633e

    SHA512

    bc6bfeb2ae2063f99ffbf6bbb67d1cffd6b18dff58db035a566927fe4c40040550493cd5fef3490e39c0809aeaa74463781697b90a41cee1d9765cb8adf5994f

    Download Submit
  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
    Filesize

    2.0MB

    MD5

    351de0b2b3c28b71fde928332fc4eb34

    SHA1

    41bba31016e7eb7a28f298d1ddbd3e7f0bf143ea

    SHA256

    611351037b32ea672ffc5805827bef65c8c8ada137b766afb8f949ee1b51d8c3

    SHA512

    1e3a77a2749648338db3711383bd52bf1b2b5d2d25776651838862a7308d72e76f0187b3eed8a6b3ab0082bb625b54eefe128c91d47aa57673cb710d666e7da8

    Download Submit
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    932KB

    MD5

    1c2b64b4fde132b000c5c3b5899e8568

    SHA1

    2860a5a2ec4512afbc32e5e14d104f8ae3daa5ce

    SHA256

    31b6b97ac71502d7abfff6ff20780008643ce3786274d1e99817c78e1651bc74

    SHA512

    1d6a0bd5f1daaa732b3ec50fc807d73207a357fb5e1274fe1bbf2b7c83c306bfbd10ad4ad99c0ee855777127da9520d4f2d6dde117881bca8c9e5ff3b9469eca

    Download Submit
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    932KB

    MD5

    1c2b64b4fde132b000c5c3b5899e8568

    SHA1

    2860a5a2ec4512afbc32e5e14d104f8ae3daa5ce

    SHA256

    31b6b97ac71502d7abfff6ff20780008643ce3786274d1e99817c78e1651bc74

    SHA512

    1d6a0bd5f1daaa732b3ec50fc807d73207a357fb5e1274fe1bbf2b7c83c306bfbd10ad4ad99c0ee855777127da9520d4f2d6dde117881bca8c9e5ff3b9469eca

    Download Submit
  • C:\odt\office2016setup.exe
    Filesize

    5.6MB

    MD5

    dfccb2a46f546e7d1f310a7f296f5e41

    SHA1

    b8b8ae95b187efc09dbccb3d51a379004a1e9eac

    SHA256

    fc6ac343ab1a62a5518e7ce154c8172fab2a02a7e8a8a3a30378423327a10399

    SHA512

    1cf3a90ae0a7a452a7dd06313fa587299a159fc0d5c9b21971c350dc86ecccae8f32b55912dafb601545d70c8b7ada1cd128842be6878275d099d37976a4f7b5

    Download Submit
  • \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
    Filesize

    788KB

    MD5

    bf1798e4b4d62f9c9ee3b2a13c6639ac

    SHA1

    164b72a907835638e8c8bc41199ed21e0a67d4e5

    SHA256

    04b0883f53698dbb2db1a0861b6d91cb9b88bebb7164e9f30ecbe822821d0f7a

    SHA512

    9ad0b26f387a8d652e222082f977b19db7880089c5b43b5fdbfd371a56f6350e74a14888dc9712ba1359e09486d59590f467acdc9e091efbe6b60e9b2cfd4173

    Download Submit
  • \??\c:\windows\system32\Appvclient.exe
    Filesize

    1.3MB

    MD5

    3358872f42a7df5c5fffb639fd100a69

    SHA1

    32251163391300683d955a37991d481bc0f18daf

    SHA256

    dbbf7cc5b5b8a3da44135aba26b3c370e8ba0b4ab2ed07ffc0d059f49dccbe33

    SHA512

    9e8b816422c44d19badb2c2b283af1db23073e18d992f8760d943b520c506450f51ddcbd66d201eeff4222af85a742d33c4b105754407e82f53a973795f5e961

    Download Submit
  • \??\c:\windows\system32\fxssvc.exe
    Filesize

    1.2MB

    MD5

    cd30eaa8665356407ae9d0c3bec628bb

    SHA1

    f629db2cb5fc0aebb81735f375de961263990f6c

    SHA256

    41146210e7a5c4a98f1e654f158f1c4b159c81ed7821d7c1697764dab7910c8c

    SHA512

    dd9a6e6c9364a3fc2195bd1b38d65d838414b489535e53c214bc1c4df52a1ce4b9adbb8299a8f84c1fd5a910c741971c1a76d75c69fe1ae47de50c5499cd08ba

    Download Submit
  • \??\c:\windows\system32\msdtc.exe
    Filesize

    704KB

    MD5

    30249840167336f9582a43e654ceebf8

    SHA1

    c3589864ffea8622e34cd51f6bc23ea9da66e9bd

    SHA256

    2d093ffc158c502dac83f312b98ab9ec81913922b8b4f94def1bf9aed19daccc

    SHA512

    876cabf806ef3e4fa4ef0c0056da32f85f04424867f3f774b580ddbc4b318198ea53dc3dc87096719bb4fa490ec452c7f3e6af32151f74456ead2759dd87963a

    Download Submit
  • \??\c:\windows\system32\msiexec.exe
    Filesize

    627KB

    MD5

    36488c1b55264867f6f83196c2ec956a

    SHA1

    c9de081c1c75c0e9ec61ebf13cd6a6f64c1b4ae7

    SHA256

    8379eb97fabeb760d7101fa41b80625960627b73c606dd3ee851568e479895df

    SHA512

    65194a11dc6d6e1f2609b5c0b0021f02167cc1465bbda0d21cef73987ac28f9d2a56cd7ffc759d9c6e2d7a4f9c7707e7cbb6b09114756cc0055a0db500ae6b7b

    Download Submit
  • \??\c:\windows\system32\snmptrap.exe
    Filesize

    576KB

    MD5

    fc72e4137590f9bd533bc2a6766ff8b7

    SHA1

    2fe3c00019e78dc0a9abb6e6b014972c9a15186e

    SHA256

    e02be5f67efde38b0f7c2fa0ada90ab9376fb0881c670bad1069a1075a3e7788

    SHA512

    7e5db6d6e46cecd7497bf9e0a29069b03f18b8ccb3b19ef31ce60eb7d69b259b450c5eed695dd369f104a9fa7b0417cc1d703914938d1fdb407528c8158bd32a

    Download Submit
  • memory/1720-140-0x0000000140000000-0x000000014022A000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/1720-139-0x0000000140000000-0x000000014022A000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/1752-135-0x0000000140000000-0x0000000140369000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1752-144-0x0000000140000000-0x0000000140369000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/1844-133-0x0000000001000000-0x0000000001280000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1844-132-0x0000000001000000-0x0000000001280000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/2864-147-0x0000000140000000-0x0000000140387000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/2864-137-0x0000000140000000-0x0000000140387000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/3732-155-0x0000000140000000-0x000000014025D000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/3732-154-0x0000000140000000-0x000000014025D000-memory.dmp
    Filesize

    2.4MB

    Download
  • memory/3832-142-0x0000000140000000-0x000000014022A000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/3832-151-0x0000000140000000-0x000000014022A000-memory.dmp
    Filesize

    2.2MB

    Download