bazarbackdoor | 52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d

General

Target

52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe
Size

41.7MB
MD5

a6409238576ab8e22969e26430a23e2c
SHA1

f0e56958ba084a78d45be57a94cfb496ebe3adcd
SHA256

52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d
SHA512

101bf300aebf6015964befa1d3b226bec08e919bf58ec69c641a087905009660d62d33f62c7e8de5ebcbd689333eccafff02e3854e870e2eafd38cebdab0f3ef
SSDEEP

786432:azzscsr8/fewB0XWU0BhYduZcf7DfD/Hypzj3Fc2/67f+irh:acrWfe0U/duZuDLHypPVC7f/rh

Score

10^/10

bazarbackdoor backdoor bootkit persistence

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-117-0x0000000140000000-0x000000014402F000-memory.dmp	BazarBackdoorVar3

Executes dropped EXE 2 IoCs

Processes:

DiskGenius.exe

pid process

1660 DiskGenius.exe
1352
Loads dropped DLL 2 IoCs

Processes:

52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exeDiskGenius.exe

pid process

2024 52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe
1660 DiskGenius.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

DiskGenius.exe

description ioc process

File opened for modification \??\PhysicalDrive0 DiskGenius.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DiskGenius.exe

pid process

1660 DiskGenius.exe
1660 DiskGenius.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DiskGenius.exe

pid process

1660 DiskGenius.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

DiskGenius.exe

pid process

1660 DiskGenius.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DiskGenius.exe

pid process

1660 DiskGenius.exe
1660 DiskGenius.exe
1660 DiskGenius.exe
1660 DiskGenius.exe

pid	process
1660	DiskGenius.exe
1352

pid	process
2024	52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe
1660	DiskGenius.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	DiskGenius.exe

pid	process
1660	DiskGenius.exe
1660	DiskGenius.exe

pid	process
1660	DiskGenius.exe

pid	process
1660	DiskGenius.exe

pid	process
1660	DiskGenius.exe
1660	DiskGenius.exe
1660	DiskGenius.exe
1660	DiskGenius.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe

description	pid	process	target process
PID 2024 wrote to memory of 1660	2024	52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe	DiskGenius.exe
PID 2024 wrote to memory of 1660	2024	52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe	DiskGenius.exe
PID 2024 wrote to memory of 1660	2024	52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe	DiskGenius.exe
PID 2024 wrote to memory of 1660	2024	52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe	DiskGenius.exe

C:\Users\Admin\AppData\Local\Temp\52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe
"C:\Users\Admin\AppData\Local\Temp\52a4b5c2b42cc782ad438ee4e1b6b15327aa55e4b5156fdcbebabe09d87f612d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1660

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\MSIMG32.dll
Filesize
7KB

MD5
2e111b435e8013f5aba504f903a307cf

SHA1
c082e11050a6e4e28c1993a74e64816e71d6fabf

SHA256
2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2

SHA512
34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\Options.ini
Filesize
379B

MD5
c5a3694ba3529642c79fe2ccd4f00e32

SHA1
d5baf9cd8e5784cc3af58fd7a492e1381ed87514

SHA256
60e5f3abfdf3c2f35c0caee2e0d0523191777931f95bed3f994e577950c89d61

SHA512
7374a9747278292850f15eb5eae9fc7a198adb9a36eba0fe748cdf9bdd7875745e368c585a7ef3bd641903edd6145c1b42ad158612fe3166802131ba2723a0eb

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\DiskGenius.exe
Filesize
33.6MB

MD5
50c1645573e7b9377165d14556db4626

SHA1
cb03f8879a256bf6fa76b80d1f45992af342f752

SHA256
315a7f7d4d58c2a1de599c7eea624fdf1077d7ae2869220b4a589e2167e120b5

SHA512
360246191279a1b875a2afd1a59654a28e2b9dd5b569322d95e5f8839314c4cd837578c450e458a71e6f0e8e7e73575ecafb8a493fc0d50e254fcdcc5f7f2b96

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\DiskGenius\msimg32.dll
Filesize
7KB

MD5
2e111b435e8013f5aba504f903a307cf

SHA1
c082e11050a6e4e28c1993a74e64816e71d6fabf

SHA256
2f55d527f6d6d41e8efacf926b4d8428abbcfa173861d526d67709bd6c4f78d2

SHA512
34790015a1e7572cbba1a04a93427acb5c6ae164c4b81cad2fc355fd47664867eebd26f89f6d20d264461940bd95dec5091dbb1ee7c2362b38a1694b84424759

Download Submit
memory/1660-112-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download
memory/1660-114-0x0000000077960000-0x0000000077962000-memory.dmp

Filesize
8KB

Download
memory/1660-115-0x0000000077960000-0x0000000077962000-memory.dmp

Filesize
8KB

Download
memory/1660-116-0x0000000077960000-0x0000000077962000-memory.dmp

Filesize
8KB

Download
memory/1660-117-0x0000000140000000-0x000000014402F000-memory.dmp

Filesize
64.2MB

Download
memory/1660-113-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download
memory/1660-111-0x0000000077930000-0x0000000077932000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing