Analysis

  • max time kernel
    600s
  • max time network
    603s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2022 14:44

General

  • Target

    1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe

  • Size

    178KB

  • MD5

    3c7dc6cd19e758840ed1aa76c8571f67

  • SHA1

    5f7b02bd8c8854adfb132817f0edae1771bcdb72

  • SHA256

    1d005321c8b45f25e1d012496e4fea43544c6f02af84d28c2c348fd04724d45c

  • SHA512

    ee9cf414295a9dbed765a290d6b6dd061e695149670c5809619ef4d3b38f7a1fb7a7e1273d1f3613db322d68e40d7770825eb70890c878b850c5f42477d9b15b

  • SSDEEP

    3072:vNcsPrIDUfRgcnOzJn/hJYxqWlDDgbOsSrIf4+udEB:+Y1IJZGzlDtrIcdg

Score
10/10

Malware Config

Signatures

  • BazarBackdoor 64 IoCs

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
    "C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"
    1⤵
    • BazarBackdoor
    • Modifies system certificate store
    PID:2032
  • C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
    C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe {35B42401-D205-4A5C-8F5F-B8DB86EED8C8}
    1⤵
      PID:696
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      1⤵
        PID:1452
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x1a8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1016

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2032-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

        Filesize

        8KB