bazarbackdoor | 0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091

Analysis

max time kernel
77s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe
Size

42.1MB
MD5

8f8d83f16ce564d36e2a69a1f4e03c31
SHA1

c7238a500acb380f85f8d5c8bb8d5f396738dc27
SHA256

0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091
SHA512

6dee695d0671074b82cbf6131a91fa7521d24cff2f38ed6763aa57fe097a8e1809ac69b70c799956bd251a7e047672cef5d60e0805775c0473dc06eafde55e06
SSDEEP

786432:ZqHp5/WbZIgG6EBkvhUyR3zJ2zhEUcMjWP2lAKO7eqpsI49Ug6S6Y5l6vTsylLQL:ZSWzmB8GyRDIiULWVS+49+WAlLQgE

Score

10^/10

bazarbackdoor backdoor bootkit persistence

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/892-66-0x0000000140000000-0x000000014402F000-memory.dmp	BazarBackdoorVar3
behavioral1/memory/892-74-0x0000000140000000-0x000000014402F000-memory.dmp	BazarBackdoorVar3

Executes dropped EXE 2 IoCs

Processes:

DiskGenius.exe

pid process

892 DiskGenius.exe
1340
Loads dropped DLL 4 IoCs

Processes:

0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exeDiskGenius.exe

pid process

1644 0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe
892 DiskGenius.exe
892 DiskGenius.exe
1340
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskGenius.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskGenius.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DiskGenius.exe

pid process

892 DiskGenius.exe
892 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DiskGenius.exe

pid process

892 DiskGenius.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DiskGenius.exe

pid process

892 DiskGenius.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DiskGenius.exe

pid process

892 DiskGenius.exe
892 DiskGenius.exe
892 DiskGenius.exe
892 DiskGenius.exe

pid	process
892	DiskGenius.exe
1340

pid	process
1644	0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe
892	DiskGenius.exe
892	DiskGenius.exe
1340

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

pid	process
892	DiskGenius.exe
892	DiskGenius.exe

pid	process
892	DiskGenius.exe

pid	process
892	DiskGenius.exe

pid	process
892	DiskGenius.exe
892	DiskGenius.exe
892	DiskGenius.exe
892	DiskGenius.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe

description	pid	process	target process
PID 1644 wrote to memory of 892	1644	0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe	DiskGenius.exe
PID 1644 wrote to memory of 892	1644	0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe	DiskGenius.exe
PID 1644 wrote to memory of 892	1644	0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe	DiskGenius.exe
PID 1644 wrote to memory of 892	1644	0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe
"C:\Users\Admin\AppData\Local\Temp\0a7b2e177130f79f28afe0c2f40eba8d7407ee346b4bf710aab1c461055be091.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:892

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll
Filesize
7KB

MD5
2e111b435e8013f5aba504f903a307cf

SHA1
c082e11050a6e4e28c1993a74e64816e71d6fabf

SHA256
2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2

SHA512
34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini
Filesize
379B

MD5
c5a3694ba3529642c79fe2ccd4f00e32

SHA1
d5baf9cd8e5784cc3af58fd7a492e1381ed87514

SHA256
60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61

SHA512
7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll
Filesize
3.8MB

MD5
16599eb8cab9b4ed39fddba1bd6ca33d

SHA1
6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c

SHA256
92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647

SHA512
ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
Filesize
7KB

MD5
2e111b435e8013f5aba504f903a307cf

SHA1
c082e11050a6e4e28c1993a74e64816e71d6fabf

SHA256
2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2

SHA512
34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll
Filesize
3.8MB

MD5
16599eb8cab9b4ed39fddba1bd6ca33d

SHA1
6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c

SHA256
92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647

SHA512
ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

Download Submit
memory/892-62-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/892-65-0x0000000037AC0000-0x0000000037AD0000-memory.dmp

Filesize
64KB

Download
memory/892-66-0x0000000140000000-0x000000014402F000-memory.dmp

Filesize
64.2MB

Download
memory/892-63-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

Filesize
24KB

Download
memory/892-56-0x0000000000000000-mapping.dmp

Download
memory/892-73-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

Filesize
24KB

Download
memory/892-74-0x0000000140000000-0x000000014402F000-memory.dmp

Filesize
64.2MB

Download
memory/1644-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download