bazarbackdoor | cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b

Analysis

max time kernel
79s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe
Size

43.6MB
MD5

5db9b584c3fceaaf17467727ea35a972
SHA1

9e95d8d396921f03853c4a550111d5e20a9b99c0
SHA256

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b
SHA512

d02e0ba321965cb9c1667677758aad8ed1c7f2ef6c682ad60a795f0050c40b265754065d59c85b08baa68e060c49ecc2535e2e81a8b562848337b3269fab792a
SSDEEP

786432:Kx+p5kDn/qyNvZBB3kGBADni0M7DtuephMHr4zEh2lpDLqW8LpdL:Kx+p56RNxBBeDC78e0Hr4oAjqW8Lp9

Score

10^/10

bazarbackdoor backdoor bootkit persistence upx

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1672-67-0x0000000140000000-0x000000014402F000-memory.dmp	BazarBackdoorVar3
behavioral1/memory/1672-75-0x0000000140000000-0x000000014402F000-memory.dmp	BazarBackdoorVar3
behavioral1/memory/1672-76-0x0000000140000000-0x000000014402F000-memory.dmp	BazarBackdoorVar3

Executes dropped EXE 2 IoCs

Processes:

DiskGenius.exe

pid process

1672 DiskGenius.exe
1416

pid	process
1672	DiskGenius.exe
1416

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1076-55-0x0000000140000000-0x0000000140061000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exeDiskGenius.exe

pid process

1076 cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe
1672 DiskGenius.exe
1672 DiskGenius.exe
1416
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskGenius.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskGenius.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DiskGenius.exe

pid process

1672 DiskGenius.exe
1672 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DiskGenius.exe

pid process

1672 DiskGenius.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DiskGenius.exe

pid process

1672 DiskGenius.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DiskGenius.exe

pid process

1672 DiskGenius.exe
1672 DiskGenius.exe
1672 DiskGenius.exe
1672 DiskGenius.exe

pid	process
1076	cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe
1672	DiskGenius.exe
1672	DiskGenius.exe
1416

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

pid	process
1672	DiskGenius.exe
1672	DiskGenius.exe

pid	process
1672	DiskGenius.exe

pid	process
1672	DiskGenius.exe

pid	process
1672	DiskGenius.exe
1672	DiskGenius.exe
1672	DiskGenius.exe
1672	DiskGenius.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe

description	pid	process	target process
PID 1076 wrote to memory of 1672	1076	cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe	DiskGenius.exe
PID 1076 wrote to memory of 1672	1076	cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe	DiskGenius.exe
PID 1076 wrote to memory of 1672	1076	cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe
"C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MSIMG32.dll
Filesize
7KB

MD5
2e111b435e8013f5aba504f903a307cf

SHA1
c082e11050a6e4e28c1993a74e64816e71d6fabf

SHA256
2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2

SHA512
34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Options.ini
Filesize
379B

MD5
c5a3694ba3529642c79fe2ccd4f00e32

SHA1
d5baf9cd8e5784cc3af58fd7a492e1381ed87514

SHA256
60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61

SHA512
7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\VERSION.dll
Filesize
3.8MB

MD5
16599eb8cab9b4ed39fddba1bd6ca33d

SHA1
6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c

SHA256
92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647

SHA512
ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msimg32.dll
Filesize
7KB

MD5
2e111b435e8013f5aba504f903a307cf

SHA1
c082e11050a6e4e28c1993a74e64816e71d6fabf

SHA256
2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2

SHA512
34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\version.dll
Filesize
3.8MB

MD5
16599eb8cab9b4ed39fddba1bd6ca33d

SHA1
6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c

SHA256
92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647

SHA512
ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

Download Submit
memory/1076-54-0x000007FEFC431000-0x000007FEFC433000-memory.dmp

Filesize
8KB

Download
memory/1076-55-0x0000000140000000-0x0000000140061000-memory.dmp

Filesize
388KB

Download
memory/1672-64-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

Filesize
24KB

Download
memory/1672-66-0x0000000037A40000-0x0000000037A50000-memory.dmp

Filesize
64KB

Download
memory/1672-67-0x0000000140000000-0x000000014402F000-memory.dmp

Filesize
64.2MB

Download
memory/1672-57-0x0000000000000000-mapping.dmp

Download
memory/1672-74-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

Filesize
24KB

Download
memory/1672-75-0x0000000140000000-0x000000014402F000-memory.dmp

Filesize
64.2MB

Download
memory/1672-76-0x0000000140000000-0x000000014402F000-memory.dmp

Filesize
64.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads