Analysis Overview
SHA256
bbd26c4e7db42429d9c8c490d3efaf16f931a242604c6c63c75e61273c7228d0
Threat Level: Known bad
The file boxer_trc_scapy_nuit.exe was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-20 22:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-20 22:19
Reported
2022-12-20 22:21
Platform
win7-20221111-en
Max time kernel
27s
Max time network
31s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1784 wrote to memory of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe |
| PID 1784 wrote to memory of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe |
| PID 1784 wrote to memory of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe | C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe
"C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe
"C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe
| MD5 | 06a3f52b457316fdf4eb30df293344a3 |
| SHA1 | bd2b30b2ed07c727d57e1db04249386f50adc463 |
| SHA256 | 2590d742ee58f75382a2dd612a8710a8e908f79ea2e7159685175c8832a380f3 |
| SHA512 | 62ab55b12a87ad0044874a44f312b92905c0568f10072d09e85c0c10f8d3fbe22265d8981724128f4d9ed0e01583e46a5d4b8be7adaea968c03c4caae0521967 |
C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\boxer_trc_scapy.exe
| MD5 | 06a3f52b457316fdf4eb30df293344a3 |
| SHA1 | bd2b30b2ed07c727d57e1db04249386f50adc463 |
| SHA256 | 2590d742ee58f75382a2dd612a8710a8e908f79ea2e7159685175c8832a380f3 |
| SHA512 | 62ab55b12a87ad0044874a44f312b92905c0568f10072d09e85c0c10f8d3fbe22265d8981724128f4d9ed0e01583e46a5d4b8be7adaea968c03c4caae0521967 |
C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
memory/2040-55-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
\Users\Admin\AppData\Local\Temp\onefile_1784_133160519528040000\vcruntime140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | e21cff76db11c1066fd96af86332b640 |
| SHA1 | e78ef7075c479b1d218132d89bf4bec13d54c06a |
| SHA256 | fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28 |
| SHA512 | e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | e21cff76db11c1066fd96af86332b640 |
| SHA1 | e78ef7075c479b1d218132d89bf4bec13d54c06a |
| SHA256 | fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28 |
| SHA512 | e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f |
\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 4827652de133c83fa1cae839b361856c |
| SHA1 | 182f9a04bdc42766cfd5fb352f2cb22e5c26665e |
| SHA256 | 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba |
| SHA512 | 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 4827652de133c83fa1cae839b361856c |
| SHA1 | 182f9a04bdc42766cfd5fb352f2cb22e5c26665e |
| SHA256 | 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba |
| SHA512 | 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a |
memory/1784-65-0x000007FEFC1B1000-0x000007FEFC1B3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-20 22:19
Reported
2022-12-20 22:21
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4284 wrote to memory of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe |
| PID 4284 wrote to memory of 4480 | N/A | C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe | C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe
"C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe
"C:\Users\Admin\AppData\Local\Temp\boxer_trc_scapy_nuit.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 2.18.109.224:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp |
Files
memory/4480-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\boxer_trc_scapy.exe
| MD5 | 06a3f52b457316fdf4eb30df293344a3 |
| SHA1 | bd2b30b2ed07c727d57e1db04249386f50adc463 |
| SHA256 | 2590d742ee58f75382a2dd612a8710a8e908f79ea2e7159685175c8832a380f3 |
| SHA512 | 62ab55b12a87ad0044874a44f312b92905c0568f10072d09e85c0c10f8d3fbe22265d8981724128f4d9ed0e01583e46a5d4b8be7adaea968c03c4caae0521967 |
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\vcruntime140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\select.pyd
| MD5 | e21cff76db11c1066fd96af86332b640 |
| SHA1 | e78ef7075c479b1d218132d89bf4bec13d54c06a |
| SHA256 | fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28 |
| SHA512 | e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd
| MD5 | e21cff76db11c1066fd96af86332b640 |
| SHA1 | e78ef7075c479b1d218132d89bf4bec13d54c06a |
| SHA256 | fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28 |
| SHA512 | e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f |
C:\Users\Admin\AppData\Local\Temp\onefile_4284_133160483549068117\_socket.pyd
| MD5 | 4827652de133c83fa1cae839b361856c |
| SHA1 | 182f9a04bdc42766cfd5fb352f2cb22e5c26665e |
| SHA256 | 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba |
| SHA512 | 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 4827652de133c83fa1cae839b361856c |
| SHA1 | 182f9a04bdc42766cfd5fb352f2cb22e5c26665e |
| SHA256 | 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba |
| SHA512 | 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a |