Malware Analysis Report

2025-01-02 12:00

Sample ID 221123-w6y46sha4x
Target 11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd
SHA256 11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd
Tags
bazarbackdoor backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd

Threat Level: Known bad

The file 11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor

BazarBackdoor

Bazar/Team9 Backdoor payload

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-11-23 18:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-23 18:32

Reported

2022-11-23 20:40

Platform

win7-20220812-en

Max time kernel

43s

Max time network

48s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe

"C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe"

Network

Country Destination Domain Proto
N/A 204.79.197.200:443 tcp

Files

memory/1960-54-0x0000000000400000-0x00000000005D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-23 18:32

Reported

2022-11-23 20:41

Platform

win10v2004-20221111-en

Max time kernel

203s

Max time network

208s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification \??\c:\windows\SysWOW64\svchost.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\SysWOW64\lsass.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File created \??\c:\windows\system32\hjladobe.tmp C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification \??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification \??\c:\windows\system32\svchost.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\SysWOW64\alg.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\SysWOW64\dllhost.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification \??\c:\windows\SysWOW64\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\Appvclient.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A
File opened for modification \??\c:\windows\system32\alg.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File created \??\c:\windows\system32\jpaggokc.tmp C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\system32\lsass.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File created \??\c:\program files\google\chrome\Application\89.0.4389.114\dkilhdmh.tmp C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File created \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\hfqapoee.tmp C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\program files (x86)\google\update\googleupdate.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
File opened for modification \??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe

"C:\Users\Admin\AppData\Local\Temp\11e2a20a0667267538dfa1a55409a06ddbfffa8984bcab3ea15fd2f69040e3dd.exe"

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

Network

Country Destination Domain Proto
N/A 104.46.162.224:443 tcp
N/A 93.184.220.29:80 tcp
N/A 8.238.24.126:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.238.24.126:80 tcp
N/A 8.238.24.126:80 tcp
N/A 8.238.24.126:80 tcp
N/A 8.238.24.126:80 tcp
N/A 8.8.8.8:53 15.89.54.20.in-addr.arpa udp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 6.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/1844-132-0x0000000000400000-0x00000000005D1000-memory.dmp

memory/1844-133-0x0000000000400000-0x00000000005D1000-memory.dmp

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

MD5 d19b057406c6df0f97c3112abf196bc9
SHA1 dd2d5aafb39071782e185a79edb64929bc9f361a
SHA256 caa6b505c008f0f0f8bef233dede845db79bc600520e38bcdbdde157dd47c28f
SHA512 9099c68422692ea7c81a7e78a559ce3675af6054926993c053a8e2ce1c7c9eb1f4351ccaf56a2b484bef2c58da3c98097ffc4e6e054798ddf688ceea7754da7b

memory/3452-135-0x0000000140000000-0x0000000140408000-memory.dmp

memory/3452-136-0x0000000140000000-0x0000000140408000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 0750f5c8f5db016af053edf91479d699
SHA1 cf6ac74ced8249666df85af9f6da2da777f9c029
SHA256 2da8a7d78a9f7a35fa1331a4d663d274996da26af3279198bb1efec3d78feb9b
SHA512 b4d21bd22c8a56bd68a9b860a8325c436d2aa7f438a6135b3bb6b4568f63ad5ca5a37c62f8faba4de525f975cd48b76f3064ce3c0156448f0eca63bd0930ccff

memory/760-138-0x0000000140000000-0x0000000140425000-memory.dmp

\??\c:\windows\system32\Appvclient.exe

MD5 2c753b6060901ffdc08b0a90c2284354
SHA1 fe25d68fc151b39d837e4194f1aeda53d0c8c2d1
SHA256 90e06e26f9cdee28c8ed022d5d0925fb22b8acc35ee567c72d1156088ccb4404
SHA512 fe3b81c383a19cbfa801336defc4bc5769ca082e6e776591017f584aa327147c14f8c08235bdd533362fa036350bf2994ce798f23f19e95bb4113dbdb234cbc6

\??\c:\windows\system32\fxssvc.exe

MD5 dd52026537054b555776e6a659fed629
SHA1 67d6d9e31ebb5458e329334a2ef60818092947f1
SHA256 0894e87a2483f8b7eea3ceeb76983d13f4c0356c33cb4ef5a8452051eeaee94d
SHA512 20a03dcad42b96b00d87b96915a8f602fc2d70446f35fb492c0555dc3565225b6651afa9d510bf2943cad3a33ae37fa60f444c62c22236fc7dd4d685369a472a