Analysis Overview
SHA256
cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b
Threat Level: Known bad
The file cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-03 05:29
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-03 05:29
Reported
2022-10-03 05:32
Platform
win7-20220812-en
Max time kernel
79s
Max time network
44s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1076 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe |
| PID 1076 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe |
| PID 1076 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe
"C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe"
Network
Files
memory/1076-54-0x000007FEFC431000-0x000007FEFC433000-memory.dmp
memory/1076-55-0x0000000140000000-0x0000000140061000-memory.dmp
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/1672-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\VERSION.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MSIMG32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msimg32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\version.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
memory/1672-64-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/1672-66-0x0000000037A40000-0x0000000037A50000-memory.dmp
memory/1672-67-0x0000000140000000-0x000000014402F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Options.ini
| MD5 | c5a3694ba3529642c79fe2ccd4f00e32 |
| SHA1 | d5baf9cd8e5784cc3af58fd7a492e1381ed87514 |
| SHA256 | 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61 |
| SHA512 | 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/1672-74-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/1672-75-0x0000000140000000-0x000000014402F000-memory.dmp
memory/1672-76-0x0000000140000000-0x000000014402F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-03 05:29
Reported
2022-10-03 05:32
Platform
win10v2004-20220812-en
Max time kernel
140s
Max time network
163s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1336 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe |
| PID 1336 wrote to memory of 3460 | N/A | C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe
"C:\Users\Admin\AppData\Local\Temp\cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/1336-132-0x0000000140000000-0x0000000140061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/3460-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\VERSION.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\MSIMG32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\msimg32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\version.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
memory/3460-140-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/3460-141-0x00007FF9E3EF0000-0x00007FF9E3F00000-memory.dmp
memory/3460-142-0x0000000140000000-0x000000014402F000-memory.dmp
memory/3460-146-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/3460-147-0x0000000140000000-0x000000014402F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Options.ini
| MD5 | c5a3694ba3529642c79fe2ccd4f00e32 |
| SHA1 | d5baf9cd8e5784cc3af58fd7a492e1381ed87514 |
| SHA256 | 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61 |
| SHA512 | 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb |