Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 12:42
Static task
static1
Behavioral task
behavioral1
Sample
1f45bcf1fb8b7ef74a57d19a371f41cf.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1f45bcf1fb8b7ef74a57d19a371f41cf.dll
Resource
win10v2004-20231215-en
General
-
Target
1f45bcf1fb8b7ef74a57d19a371f41cf.dll
-
Size
1.3MB
-
MD5
1f45bcf1fb8b7ef74a57d19a371f41cf
-
SHA1
9b7f346a04f8481c22fb6f8853f76349402a7009
-
SHA256
aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1
-
SHA512
6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f
-
SSDEEP
24576:ax12nIqqCgOgFO9fccuUMHKv+i7e1LXEdFoGzIyXjxeKr:aYIqJPV9fcHqmGSr9or
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 9 IoCs
Processes:
resource yara_rule behavioral1/memory/2484-0-0x0000000027280000-0x00000000272E4000-memory.dmp BazarLoaderVar3 behavioral1/memory/2484-1-0x000007FEF6720000-0x000007FEF68C2000-memory.dmp BazarLoaderVar3 behavioral1/memory/2484-7-0x000007FEF6720000-0x000007FEF68C2000-memory.dmp BazarLoaderVar3 behavioral1/memory/2484-8-0x0000000027280000-0x00000000272E4000-memory.dmp BazarLoaderVar3 behavioral1/memory/2972-9-0x0000000027270000-0x00000000272D4000-memory.dmp BazarLoaderVar3 behavioral1/memory/2972-10-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmp BazarLoaderVar3 behavioral1/memory/2972-17-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmp BazarLoaderVar3 behavioral1/memory/2972-18-0x0000000027270000-0x00000000272D4000-memory.dmp BazarLoaderVar3 behavioral1/memory/1344-21-0x0000000001CD0000-0x0000000001D34000-memory.dmp BazarLoaderVar3 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\RealtechUpdate = "\"C:\\Windows\\system32\\regsvr32.exe\" /s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Damp\\gndrvwlsps.exe\" mscp arih" reg.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs
Processes:
regsvr32.exeregsvr32.exepid process 2972 regsvr32.exe 1344 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
regsvr32.exepid process 2972 regsvr32.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
regsvr32.execmd.exeregsvr32.execmd.execmd.exedescription pid process target process PID 2484 wrote to memory of 2632 2484 regsvr32.exe cmd.exe PID 2484 wrote to memory of 2632 2484 regsvr32.exe cmd.exe PID 2484 wrote to memory of 2632 2484 regsvr32.exe cmd.exe PID 2632 wrote to memory of 2256 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2256 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2256 2632 cmd.exe PING.EXE PID 2632 wrote to memory of 2972 2632 cmd.exe regsvr32.exe PID 2632 wrote to memory of 2972 2632 cmd.exe regsvr32.exe PID 2632 wrote to memory of 2972 2632 cmd.exe regsvr32.exe PID 2632 wrote to memory of 2972 2632 cmd.exe regsvr32.exe PID 2632 wrote to memory of 2972 2632 cmd.exe regsvr32.exe PID 2972 wrote to memory of 1508 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 1508 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 1508 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 2876 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 2876 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 2876 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 2884 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 2884 2972 regsvr32.exe cmd.exe PID 2972 wrote to memory of 2884 2972 regsvr32.exe cmd.exe PID 2884 wrote to memory of 736 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 736 2884 cmd.exe PING.EXE PID 2884 wrote to memory of 736 2884 cmd.exe PING.EXE PID 2876 wrote to memory of 840 2876 cmd.exe reg.exe PID 2876 wrote to memory of 840 2876 cmd.exe reg.exe PID 2876 wrote to memory of 840 2876 cmd.exe reg.exe PID 2884 wrote to memory of 1344 2884 cmd.exe regsvr32.exe PID 2884 wrote to memory of 1344 2884 cmd.exe regsvr32.exe PID 2884 wrote to memory of 1344 2884 cmd.exe regsvr32.exe PID 2884 wrote to memory of 1344 2884 cmd.exe regsvr32.exe PID 2884 wrote to memory of 1344 2884 cmd.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 83⤵
- Runs ping.exe
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c echo %temp%4⤵
-
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe" mscp arih & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 85⤵
- Runs ping.exe
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe" mscp arih5⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Windows\system32\cmd.execmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe\" mscp arih"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v RealtechUpdate /t REG_SZ /d "\"C:\Windows\system32\regsvr32.exe\" /s \"C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exe\" mscp arih"5⤵
- Adds Run key to start application
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exeFilesize
281KB
MD5c546959c0164fd61640f4e3b58e109b2
SHA150931075fa8765ad5bec2afb68ae2a1a073a06f2
SHA2564030f8da4d3d5ff6f12997a429b47f41815e1a50474c247af0bfe227ea0e492e
SHA512963c733b82aeab6882249b367806d519df646275dd470f168423e658fe7e63c38a2531397719c821391a1278c3a9c3ab5668f3b7289a47cf5091dcb13556b287
-
\Users\Admin\AppData\Local\Temp\Damp\gndrvwlsps.exeFilesize
235KB
MD518c9c5e47291dc21a5b6a895a0c17dd5
SHA1e853f4190362a78cf5c17d48174136b0236105f6
SHA2568e969c46089edb69ec706fb2f476e24765ccd5227e19216b6391580dbc778a94
SHA512e35e9513bc306df1afb8cd3fd716f34399c282e6b636c1031b5f9a9693baa6ad221b2371276a79ed1eae6b8466f3555abde4a569b364928f64c8f66720697c81
-
memory/1344-21-0x0000000001CD0000-0x0000000001D34000-memory.dmpFilesize
400KB
-
memory/2484-0-0x0000000027280000-0x00000000272E4000-memory.dmpFilesize
400KB
-
memory/2484-1-0x000007FEF6720000-0x000007FEF68C2000-memory.dmpFilesize
1.6MB
-
memory/2484-7-0x000007FEF6720000-0x000007FEF68C2000-memory.dmpFilesize
1.6MB
-
memory/2484-8-0x0000000027280000-0x00000000272E4000-memory.dmpFilesize
400KB
-
memory/2972-9-0x0000000027270000-0x00000000272D4000-memory.dmpFilesize
400KB
-
memory/2972-10-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmpFilesize
1.6MB
-
memory/2972-17-0x000007FEF5E40000-0x000007FEF5FE2000-memory.dmpFilesize
1.6MB
-
memory/2972-18-0x0000000027270000-0x00000000272D4000-memory.dmpFilesize
400KB