Analysis Overview
SHA256
11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd
Threat Level: Known bad
The file 11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Executes dropped EXE
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-11-23 18:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-23 18:32
Reported
2022-11-23 20:40
Platform
win7-20220812-en
Max time kernel
43s
Max time network
48s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe
"C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 204.79.197.200:443 | tcp |
Files
memory/1960-54-0x0000000000400000-0x00000000005D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-23 18:32
Reported
2022-11-23 20:41
Platform
win10v2004-20221111-en
Max time kernel
203s
Max time network
208s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe | N/A |
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| File created | \??\c:\program files\google\chrome\Application\89.0.4389.114\dkilhdmh.tmp | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\google\update\googleupdate.exe | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| File created | \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\hfqapoee.tmp | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| File opened for modification | \??\c:\program files (x86)\google\update\googleupdate.exe | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| File opened for modification | \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe
"C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe"
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 104.46.162.224:443 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.238.24.126:80 | tcp | |
| N/A | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/1844-132-0x0000000000400000-0x00000000005D1000-memory.dmp
memory/1844-133-0x0000000000400000-0x00000000005D1000-memory.dmp
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
| MD5 | d19b057406c6df0f97c3112abf196bc9 |
| SHA1 | dd2d5aafb39071782e185a79edb64929bc9f361a |
| SHA256 | caa6b505c008f0f0f8bef233dede845db79bc600520e38bcdbdde157dd47c28f |
| SHA512 | 9099c68422692ea7c81a7e78a559ce3675af6054926993c053a8e2ce1c7c9eb1f4351ccaf56a2b484bef2c58da3c98097ffc4e6e054798ddf688ceea7754da7b |
memory/3452-135-0x0000000140000000-0x0000000140408000-memory.dmp
memory/3452-136-0x0000000140000000-0x0000000140408000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 0750f5c8f5db016af053edf91479d699 |
| SHA1 | cf6ac74ced8249666df85af9f6da2da777f9c029 |
| SHA256 | 2da8a7d78a9f7a35fa1331a4d663d274996da26af3279198bb1efec3d78feb9b |
| SHA512 | b4d21bd22c8a56bd68a9b860a8325c436d2aa7f438a6135b3bb6b4568f63ad5ca5a37c62f8faba4de525f975cd48b76f3064ce3c0156448f0eca63bd0930ccff |
memory/760-138-0x0000000140000000-0x0000000140425000-memory.dmp
\??\c:\windows\system32\Appvclient.exe
| MD5 | 2c753b6060901ffdc08b0a90c2284354 |
| SHA1 | fe25d68fc151b39d837e4194f1aeda53d0c8c2d1 |
| SHA256 | 90e06e26f9cdee28c8ed022d5d0925fb22b8acc35ee567c72d1156088ccb4404 |
| SHA512 | fe3b81c383a19cbfa801336defc4bc5769ca082e6e776591017f584aa327147c14f8c08235bdd533362fa036350bf2994ce798f23f19e95bb4113dbdb234cbc6 |
\??\c:\windows\system32\fxssvc.exe
| MD5 | dd52026537054b555776e6a659fed629 |
| SHA1 | 67d6d9e31ebb5458e329334a2ef60818092947f1 |
| SHA256 | 0894e87a2483f8b7eea3ceeb76983d13f4c0356c33cb4ef5a8452051eeaee94d |
| SHA512 | 20a03dcad42b96b00d87b96915a8f602fc2d70446f35fb492c0555dc3565225b6651afa9d510bf2943cad3a33ae37fa60f444c62c22236fc7dd4d685369a472a |