Analysis
-
max time kernel
148s -
max time network
46s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 12:42
Static task
static1
Behavioral task
behavioral1
Sample
1f45bcf1fb8b7ef74a57d19a371f41cf.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1f45bcf1fb8b7ef74a57d19a371f41cf.dll
Resource
win10v2004-20231215-en
General
-
Target
1f45bcf1fb8b7ef74a57d19a371f41cf.dll
-
Size
1.3MB
-
MD5
1f45bcf1fb8b7ef74a57d19a371f41cf
-
SHA1
9b7f346a04f8481c22fb6f8853f76349402a7009
-
SHA256
aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1
-
SHA512
6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f
-
SSDEEP
24576:ax12nIqqCgOgFO9fccuUMHKv+i7e1LXEdFoGzIyXjxeKr:aYIqJPV9fcHqmGSr9or
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4864-0-0x0000000027FC0000-0x0000000028024000-memory.dmp BazarLoaderVar3 behavioral2/memory/4864-1-0x00007FFE69250000-0x00007FFE693F2000-memory.dmp BazarLoaderVar3 behavioral2/memory/4864-11-0x0000000027FC0000-0x0000000028024000-memory.dmp BazarLoaderVar3 behavioral2/memory/4864-10-0x00007FFE69250000-0x00007FFE693F2000-memory.dmp BazarLoaderVar3 behavioral2/memory/4784-12-0x00000000277C0000-0x0000000027824000-memory.dmp BazarLoaderVar3 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
regsvr32.execmd.exedescription pid process target process PID 4864 wrote to memory of 544 4864 regsvr32.exe cmd.exe PID 4864 wrote to memory of 544 4864 regsvr32.exe cmd.exe PID 544 wrote to memory of 4324 544 cmd.exe PING.EXE PID 544 wrote to memory of 4324 544 cmd.exe PING.EXE PID 544 wrote to memory of 4784 544 cmd.exe regsvr32.exe PID 544 wrote to memory of 4784 544 cmd.exe regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis3⤵
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 81⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4784-12-0x00000000277C0000-0x0000000027824000-memory.dmpFilesize
400KB
-
memory/4784-13-0x00007FFE59AD0000-0x00007FFE59C72000-memory.dmpFilesize
1.6MB
-
memory/4864-0-0x0000000027FC0000-0x0000000028024000-memory.dmpFilesize
400KB
-
memory/4864-1-0x00007FFE69250000-0x00007FFE693F2000-memory.dmpFilesize
1.6MB
-
memory/4864-11-0x0000000027FC0000-0x0000000028024000-memory.dmpFilesize
400KB
-
memory/4864-10-0x00007FFE69250000-0x00007FFE693F2000-memory.dmpFilesize
1.6MB