bazarloader | aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1

General

Target

1f45bcf1fb8b7ef74a57d19a371f41cf.dll
Size

1.3MB
MD5

1f45bcf1fb8b7ef74a57d19a371f41cf
SHA1

9b7f346a04f8481c22fb6f8853f76349402a7009
SHA256

aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1
SHA512

6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f
SSDEEP

24576:ax12nIqqCgOgFO9fccuUMHKv+i7e1LXEdFoGzIyXjxeKr:aYIqJPV9fcHqmGSr9or

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2484-0-0x0000000027280000-0x00000000272E4000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2484-1-0x000007FEF6720000-0x000007FEF68C2000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2484-7-0x000007FEF6720000-0x000007FEF68C2000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2484-8-0x0000000027280000-0x00000000272E4000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2972-9-0x0000000027270000-0x00000000272D4000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2972-10-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2972-17-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2972-18-0x0000000027270000-0x00000000272D4000-memory.dmp	BazarLoaderVar3
behavioral1/memory/1344-21-0x0000000001CD0000-0x0000000001D34000-memory.dmp	BazarLoaderVar3

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\gndrvwlsps.exe\" mscp arih"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

840 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2256 PING.EXE
736 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

2972 regsvr32.exe
1344 regsvr32.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

regsvr32.exe

pid process

2972 regsvr32.exe

pid	process
840	reg.exe

pid	process
2256	PING.EXE
736	PING.EXE

pid	process
2972	regsvr32.exe
1344	regsvr32.exe

pid	process
2972	regsvr32.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

regsvr32.execmd.exeregsvr32.execmd.execmd.exe

description	pid	process	target process
PID 2484 wrote to memory of 2632	2484	regsvr32.exe	cmd.exe
PID 2484 wrote to memory of 2632	2484	regsvr32.exe	cmd.exe
PID 2484 wrote to memory of 2632	2484	regsvr32.exe	cmd.exe
PID 2632 wrote to memory of 2256	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2256	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2256	2632	cmd.exe	PING.EXE
PID 2632 wrote to memory of 2972	2632	cmd.exe	regsvr32.exe
PID 2632 wrote to memory of 2972	2632	cmd.exe	regsvr32.exe
PID 2632 wrote to memory of 2972	2632	cmd.exe	regsvr32.exe
PID 2632 wrote to memory of 2972	2632	cmd.exe	regsvr32.exe
PID 2632 wrote to memory of 2972	2632	cmd.exe	regsvr32.exe
PID 2972 wrote to memory of 1508	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 1508	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 1508	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 2876	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 2876	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 2876	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 2884	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 2884	2972	regsvr32.exe	cmd.exe
PID 2972 wrote to memory of 2884	2972	regsvr32.exe	cmd.exe
PID 2884 wrote to memory of 736	2884	cmd.exe	PING.EXE
PID 2884 wrote to memory of 736	2884	cmd.exe	PING.EXE
PID 2884 wrote to memory of 736	2884	cmd.exe	PING.EXE
PID 2876 wrote to memory of 840	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 840	2876	cmd.exe	reg.exe
PID 2876 wrote to memory of 840	2876	cmd.exe	reg.exe
PID 2884 wrote to memory of 1344	2884	cmd.exe	regsvr32.exe
PID 2884 wrote to memory of 1344	2884	cmd.exe	regsvr32.exe
PID 2884 wrote to memory of 1344	2884	cmd.exe	regsvr32.exe
PID 2884 wrote to memory of 1344	2884	cmd.exe	regsvr32.exe
PID 2884 wrote to memory of 1344	2884	cmd.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
3⤵
- Runs ping.exe
PID:2256

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\system32\cmd.exe
cmd.exe /c echo %temp%
4⤵
PID:1508

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe" mscp arih & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
5⤵
- Runs ping.exe
PID:736

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe" mscp arih
5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1344

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe\" mscp arih"
4⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe\" mscp arih"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:840

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe
Filesize
281KB

MD5
c546959c0164fd61640f4e3b58e109b2

SHA1
50931075fa8765ad5bec2afb68ae2a1a073a06f2

SHA256
4030f8da4d3d5ff6f12997a429b47f41815e1a50474c247af0bfe227ea0e492e

SHA512
963c733b82aeab6882249b367806d519df646275dd470f168423e658fe7e63c38a2531397719c821391a1278c3a9c3ab5668f3b7289a47cf5091dcb13556b287

Download Submit
\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe
Filesize
235KB

MD5
18c9c5e47291dc21a5b6a895a0c17dd5

SHA1
e853f4190362a78cf5c17d48174136b0236105f6

SHA256
8e969c46089edb69ec706fb2f476e24765ccd5227e19216b6391580dbc778a94

SHA512
e35e9513bc306df1afb8cd3fd716f34399c282e6b636c1031b5f9a9693baa6ad221b2371276a79ed1eae6b8466f3555abde4a569b364928f64c8f66720697c81

Download Submit
memory/1344-21-0x0000000001CD0000-0x0000000001D34000-memory.dmp

Filesize
400KB

Download
memory/2484-0-0x0000000027280000-0x00000000272E4000-memory.dmp

Filesize
400KB

Download
memory/2484-1-0x000007FEF6720000-0x000007FEF68C2000-memory.dmp

Filesize
1.6MB

Download
memory/2484-7-0x000007FEF6720000-0x000007FEF68C2000-memory.dmp

Filesize
1.6MB

Download
memory/2484-8-0x0000000027280000-0x00000000272E4000-memory.dmp

Filesize
400KB

Download
memory/2972-9-0x0000000027270000-0x00000000272D4000-memory.dmp

Filesize
400KB

Download
memory/2972-10-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmp

Filesize
1.6MB

Download
memory/2972-17-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmp

Filesize
1.6MB

Download
memory/2972-18-0x0000000027270000-0x00000000272D4000-memory.dmp

Filesize
400KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads