Malware Analysis Report

2025-01-02 12:02

Sample ID 221228-fjq72she35
Target b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef
SHA256 b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef
Tags
bazarbackdoor backdoor bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef

Threat Level: Known bad

The file b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor bootkit persistence

BazarBackdoor

Bazar/Team9 Backdoor payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-28 04:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-28 04:54

Reported

2022-12-28 04:57

Platform

win7-20220812-en

Max time kernel

77s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe

"C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"

Network

N/A

Files

memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/1628-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

memory/1628-62-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

memory/1628-63-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/1628-65-0x00000000376F0000-0x0000000037700000-memory.dmp

memory/1628-66-0x0000000140000000-0x000000014402F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini

MD5 c5a3694ba3529642c79fe2ccd4f00e32
SHA1 d5baf9cd8e5784cc3af58fd7a492e1381ed87514
SHA256 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61
SHA512 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

memory/1628-72-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/1628-73-0x0000000140000000-0x000000014402F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-28 04:54

Reported

2022-12-28 04:57

Platform

win10v2004-20221111-en

Max time kernel

112s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe

"C:\Users\Admin\AppData\Local\Temp\b9cf22ab52de455b9b773887331822339f50a966505b082b73f5188942ff6bef.exe"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"

Network

Country Destination Domain Proto
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp
N/A 104.80.225.205:443 tcp
N/A 20.189.173.12:443 tcp
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp

Files

memory/3132-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\VERSION.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe

MD5 50c1645573e7b9377165d14556db4626
SHA1 cb03f8879a256bf6fa76b80d1f45992af342f752
SHA256 315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5
SHA512 360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll

MD5 2e111b435e8013f5aba504f903a307cf
SHA1 c082e11050a6e4e28c1993a74e64816e71d6fabf
SHA256 2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2
SHA512 34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\version.dll

MD5 16599eb8cab9b4ed39fddba1bd6ca33d
SHA1 6fd05c3e0a823810a69e8a7d119d4f4e69f9fd8c
SHA256 92c122b6e2ce9c6a5a40884d0d999da94c47e7c1b846183c137b3cd77314b647
SHA512 ec360831508ea73d977e1fb14c1ea4336d3c4a783eeb94b3be7bb5cfe241a89d349ff856c466da494a942a5616af4b6e48c51d69c8001bdd42e1cb412c6c69bb

memory/3132-139-0x00007FFBF2B30000-0x00007FFBF2B40000-memory.dmp

memory/3132-140-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/3132-141-0x0000000140000000-0x000000014402F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini

MD5 c5a3694ba3529642c79fe2ccd4f00e32
SHA1 d5baf9cd8e5784cc3af58fd7a492e1381ed87514
SHA256 60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61
SHA512 7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

memory/3132-146-0x000007FF7D1A0000-0x000007FF7D1A6000-memory.dmp

memory/3132-147-0x0000000140000000-0x000000014402F000-memory.dmp