Analysis
-
max time kernel
109s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2023 07:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
filemanpdf.dll
Resource
win7-20230621-en
windows7-x64
1 signatures
150 seconds
Behavioral task
behavioral2
Sample
filemanpdf.dll
Resource
win10v2004-20230621-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
filemanpdf.dll
-
Size
213KB
-
MD5
6f3be0dfe6b5971b16464b7924772445
-
SHA1
8af5e975c00f5bdbd843f644a60adbb5f8da8a0d
-
SHA256
b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb
-
SHA512
a1a8d49ec7610c37284a2e9f7409f1f93343c7d9c676985b9a3759388835880e7e376451e89294654cb4fc0f6c6386876896da50347c8bc4a98b80b1825cd5ef
-
SSDEEP
3072:GmmcI7/mAuyLKfrsP5PUD1jB8pZbiYbrmdwDb2lyZi4oRWLuaW5FxvwR0N:/jI7uzfrkAjBoZ1bRi2JYx
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 828 wrote to memory of 3664 828 rundll32.exe cmd.exe PID 828 wrote to memory of 3664 828 rundll32.exe cmd.exe PID 3664 wrote to memory of 2044 3664 cmd.exe PING.EXE PID 3664 wrote to memory of 2044 3664 cmd.exe PING.EXE PID 3664 wrote to memory of 2712 3664 cmd.exe rundll32.exe PID 3664 wrote to memory of 2712 3664 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\filemanpdf.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 10 -i 38 -4 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\filemanpdf.dll", #1 ZF3bI6aD VI0rr2aG & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 10 -i 38 -43⤵
- Runs ping.exe
PID:2044 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\filemanpdf.dll", #1 ZF3bI6aD VI0rr2aG3⤵PID:2712