Malware Analysis Report

2025-01-02 12:04

Sample ID 221006-e927kagda5
Target 091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c
SHA256 091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c
Tags
bazarbackdoor backdoor bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c

Threat Level: Known bad

The file 091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor bootkit persistence

BazarBackdoor

Bazar/Team9 Backdoor payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-06 04:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-06 04:39

Reported

2022-10-06 04:42

Platform

win7-20220812-en

Max time kernel

69s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe

"C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"

Network

N/A

Files

memory/1812-54-0x0000000076411000-0x0000000076413000-memory.dmp

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/936-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

memory/936-62-0x000007FEFBFE1000-0x000007FEFBFE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/936-64-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/936-65-0x00000000375F0000-0x0000000037600000-memory.dmp

memory/936-66-0x0000000140000000-0x000000014402F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini

MD5 c5a3694ba3529642c79fe2ccd4f00e32
SHA1 d5baf9cd8e5784cc3af58fd7a492e1381ed87514
SHA256 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61
SHA512 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/936-73-0x0000000140000000-0x000000014402F000-memory.dmp

memory/936-74-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/936-75-0x0000000140000000-0x000000014402F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-06 04:39

Reported

2022-10-06 04:42

Platform

win10v2004-20220901-en

Max time kernel

94s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe

"C:\Users\Admin\AppData\Local\Temp\091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.189.173.1:443 tcp
NL 87.248.202.1:80 tcp
US 93.184.221.240:80 tcp

Files

memory/1768-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

memory/1768-140-0x00007FFB64010000-0x00007FFB64020000-memory.dmp

memory/1768-139-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/1768-141-0x0000000140000000-0x000000014402F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini

MD5 c5a3694ba3529642c79fe2ccd4f00e32
SHA1 d5baf9cd8e5784cc3af58fd7a492e1381ed87514
SHA256 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61
SHA512 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

memory/1768-146-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/1768-147-0x0000000140000000-0x000000014402F000-memory.dmp

memory/1768-148-0x0000000140000000-0x000000014402F000-memory.dmp