Analysis Overview
SHA256
14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2
Threat Level: Known bad
The file 14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2 was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Writes to the Master Boot Record (MBR)
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-07 08:16
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-07 08:16
Reported
2022-10-07 08:19
Platform
win7-20220901-en
Max time kernel
80s
Max time network
51s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1252 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe |
| PID 1252 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe |
| PID 1252 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe |
| PID 1252 wrote to memory of 1464 | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe
"C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"
Network
Files
memory/1252-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/1464-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
memory/1464-62-0x000007FEFB741000-0x000007FEFB743000-memory.dmp
memory/1464-63-0x0000000036EF0000-0x0000000036F00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/1464-65-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/1464-66-0x0000000140000000-0x000000014402F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini
| MD5 | c5a3694ba3529642c79fe2ccd4f00e32 |
| SHA1 | d5baf9cd8e5784cc3af58fd7a492e1381ed87514 |
| SHA256 | 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61 |
| SHA512 | 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
memory/1464-73-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/1464-74-0x0000000140000000-0x000000014402F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-07 08:16
Reported
2022-10-07 08:19
Platform
win10v2004-20220812-en
Max time kernel
100s
Max time network
148s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1600 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe |
| PID 1600 wrote to memory of 2080 | N/A | C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe
"C:\Users\Admin\AppData\Local\Temp\14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.1:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 209.197.3.8:80 | tcp |
Files
memory/2080-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
| MD5 | 50c1645573e7b9377165d14556db4626 |
| SHA1 | cb03f8879a256bf6fa76b80d1f45992af342f752 |
| SHA256 | 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5 |
| SHA512 | 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
| MD5 | 2e111b435e8013f5aba504f903a307cf |
| SHA1 | c082e11050a6e4e28c1993a74e64816e71d6fabf |
| SHA256 | 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2 |
| SHA512 | 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll
| MD5 | 16599eb8cab9b4ed39fddba1bd6ca33d |
| SHA1 | 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c |
| SHA256 | 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647 |
| SHA512 | ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb |
memory/2080-139-0x00007FFB88230000-0x00007FFB88240000-memory.dmp
memory/2080-140-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/2080-141-0x0000000140000000-0x000000014402F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini
| MD5 | c5a3694ba3529642c79fe2ccd4f00e32 |
| SHA1 | d5baf9cd8e5784cc3af58fd7a492e1381ed87514 |
| SHA256 | 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61 |
| SHA512 | 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb |
memory/2080-146-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp
memory/2080-147-0x0000000140000000-0x000000014402F000-memory.dmp
memory/2080-148-0x0000000140000000-0x000000014402F000-memory.dmp