Overview
overview
10Static
static
10bazaar.202...ge.exe
windows7-x64
10bazaar.202...ge.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
6bazaar.202...te.exe
windows10-2004-x64
6bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...te.exe
windows7-x64
10bazaar.202...te.exe
windows10-2004-x64
10bazaar.202...32.exe
windows7-x64
7bazaar.202...32.exe
windows10-2004-x64
7bazaar.202...32.exe
windows7-x64
7bazaar.202...32.exe
windows10-2004-x64
7bazaar.202...RC.exe
windows7-x64
10bazaar.202...RC.exe
windows10-2004-x64
10bazaar.202...oad.js
windows7-x64
3bazaar.202...oad.js
windows10-2004-x64
3bazaar.202...nt.exe
windows7-x64
7bazaar.202...nt.exe
windows10-2004-x64
7Resubmissions
28-04-2024 18:31
240428-w6cwyaec5v 1021-04-2024 08:57
240421-kwwqhsfh8z 1021-04-2024 05:45
240421-gfvazacf82 1018-04-2024 19:05
240418-xry2ascb73 1018-04-2024 16:34
240418-t3alashf75 1004-03-2024 18:33
240304-w7b12ahg61 1002-03-2024 17:01
240302-vjn51sff57 1002-03-2024 10:05
240302-l4xhfscc7v 10Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2023 06:40
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral2
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Revenge.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral4
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral6
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral8
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral10
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral12
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral14
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.SpyGate.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Backdoor.Win32.NetWiredRC.exe
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win7-20230712-en
windows7-x64
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Trojan-Downloader.Script.SLoad.js
Resource
win10v2004-20230703-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Trojan-PSW.MSIL.Agent.exe
Resource
win7-20230712-en
windows7-x64
General
-
Target
bazaar.2020.02/HEUR-Backdoor.Win32.exe
-
Size
43KB
-
MD5
f3cbdffbf6bfc26fe09f95e88b188c09
-
SHA1
e8feb8d7baa1290f591693f068cd6941cb9c878c
-
SHA256
1c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d
-
SHA512
bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3
-
SSDEEP
768:VrgeWGJaj2b2/K6/1CSGIKPlavRzY0nEs3UgLM6KLi0z1xxFopI:ybs4K6dyNPIvRMEEgCnxipI
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Stpxrq.exeStpxrq.exepid Process 1552 Stpxrq.exe 3684 Stpxrq.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Stpxrq.exedescription ioc Process File opened (read-only) \??\G: Stpxrq.exe File opened (read-only) \??\I: Stpxrq.exe File opened (read-only) \??\L: Stpxrq.exe File opened (read-only) \??\B: Stpxrq.exe File opened (read-only) \??\H: Stpxrq.exe File opened (read-only) \??\V: Stpxrq.exe File opened (read-only) \??\W: Stpxrq.exe File opened (read-only) \??\Y: Stpxrq.exe File opened (read-only) \??\E: Stpxrq.exe File opened (read-only) \??\J: Stpxrq.exe File opened (read-only) \??\M: Stpxrq.exe File opened (read-only) \??\N: Stpxrq.exe File opened (read-only) \??\P: Stpxrq.exe File opened (read-only) \??\Q: Stpxrq.exe File opened (read-only) \??\S: Stpxrq.exe File opened (read-only) \??\T: Stpxrq.exe File opened (read-only) \??\U: Stpxrq.exe File opened (read-only) \??\Z: Stpxrq.exe File opened (read-only) \??\K: Stpxrq.exe File opened (read-only) \??\O: Stpxrq.exe File opened (read-only) \??\R: Stpxrq.exe File opened (read-only) \??\X: Stpxrq.exe -
Creates a Windows Service
-
Drops file in System32 directory 12 IoCs
Processes:
Stpxrq.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C Stpxrq.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_87A5D2A17D34E46FC933087294B7150D Stpxrq.exe -
Drops file in Program Files directory 2 IoCs
Processes:
HEUR-Backdoor.Win32.exedescription ioc Process File created C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe HEUR-Backdoor.Win32.exe File opened for modification C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe HEUR-Backdoor.Win32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Stpxrq.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Stpxrq.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Stpxrq.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
Stpxrq.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ Stpxrq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Stpxrq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum Stpxrq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft Stpxrq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7" Stpxrq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Stpxrq.exe Key created \REGISTRY\USER\.DEFAULT\Software Stpxrq.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Stpxrq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" Stpxrq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Stpxrq.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie Stpxrq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" Stpxrq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" Stpxrq.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" Stpxrq.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Stpxrq.exepid Process 3684 Stpxrq.exe 3684 Stpxrq.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
HEUR-Backdoor.Win32.exepid Process 4340 HEUR-Backdoor.Win32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HEUR-Backdoor.Win32.exedescription pid Process Token: SeDebugPrivilege 4340 HEUR-Backdoor.Win32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Stpxrq.exedescription pid Process procid_target PID 1552 wrote to memory of 3684 1552 Stpxrq.exe 85 PID 1552 wrote to memory of 3684 1552 Stpxrq.exe 85 PID 1552 wrote to memory of 3684 1552 Stpxrq.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.Win32.exe"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.Win32.exe"1⤵
- Drops file in Program Files directory
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe"C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe"C:\Program Files (x86)\Microsoft Qizfbz\Stpxrq.exe" Win72⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5f3cbdffbf6bfc26fe09f95e88b188c09
SHA1e8feb8d7baa1290f591693f068cd6941cb9c878c
SHA2561c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d
SHA512bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3
-
Filesize
43KB
MD5f3cbdffbf6bfc26fe09f95e88b188c09
SHA1e8feb8d7baa1290f591693f068cd6941cb9c878c
SHA2561c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d
SHA512bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3
-
Filesize
43KB
MD5f3cbdffbf6bfc26fe09f95e88b188c09
SHA1e8feb8d7baa1290f591693f068cd6941cb9c878c
SHA2561c659cbf8f73b2dd0ed8238595c225dbc1e87d5ea538c24a5d52faf0f4a49e7d
SHA512bac9cc4ebde8e1133d8a332c327dcc72ef83f3457b3048899be3550c7d1c03c8c59d0ab82304def44793ac9fc91a193a018e6fbb256681b5baad366df4e8b3b3