bazarloader | aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1

Analysis

max time kernel
148s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f45bcf1fb8b7ef74a57d19a371f41cf.dll
Size

1.3MB
MD5

1f45bcf1fb8b7ef74a57d19a371f41cf
SHA1

9b7f346a04f8481c22fb6f8853f76349402a7009
SHA256

aee116011409a5bec7d356bd8f704df0a361fb029bf20178d49e02607798d9a1
SHA512

6cdbc392b650420d9238d7400956fa41ec9ede827576b9023b977e232dd18b3dd72f36082fc6cdb5af7f62868b0bd00e9b718522799467c674efb6202a169f9f
SSDEEP

24576:ax12nIqqCgOgFO9fccuUMHKv+i7e1LXEdFoGzIyXjxeKr:aYIqJPV9fcHqmGSr9or

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4864-0-0x0000000027FC0000-0x0000000028024000-memory.dmp	BazarLoaderVar3
behavioral2/memory/4864-1-0x00007FFE69250000-0x00007FFE693F2000-memory.dmp	BazarLoaderVar3
behavioral2/memory/4864-11-0x0000000027FC0000-0x0000000028024000-memory.dmp	BazarLoaderVar3
behavioral2/memory/4864-10-0x00007FFE69250000-0x00007FFE693F2000-memory.dmp	BazarLoaderVar3
behavioral2/memory/4784-12-0x00000000277C0000-0x0000000027824000-memory.dmp	BazarLoaderVar3

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4324 PING.EXE

pid	process
4324	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.execmd.exe

description	pid	process	target process
PID 4864 wrote to memory of 544	4864	regsvr32.exe	cmd.exe
PID 4864 wrote to memory of 544	4864	regsvr32.exe	cmd.exe
PID 544 wrote to memory of 4324	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 4324	544	cmd.exe	PING.EXE
PID 544 wrote to memory of 4784	544	cmd.exe	regsvr32.exe
PID 544 wrote to memory of 4784	544	cmd.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\1f45bcf1fb8b7ef74a57d19a371f41cf.dll" mscp ahis
3⤵
PID:4784

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 8
1⤵
- Runs ping.exe
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4784-12-0x00000000277C0000-0x0000000027824000-memory.dmp

Filesize
400KB

Download
memory/4784-13-0x00007FFE59AD0000-0x00007FFE59C72000-memory.dmp

Filesize
1.6MB

Download
memory/4864-0-0x0000000027FC0000-0x0000000028024000-memory.dmp

Filesize
400KB

Download
memory/4864-1-0x00007FFE69250000-0x00007FFE693F2000-memory.dmp

Filesize
1.6MB

Download
memory/4864-11-0x0000000027FC0000-0x0000000028024000-memory.dmp

Filesize
400KB

Download
memory/4864-10-0x00007FFE69250000-0x00007FFE693F2000-memory.dmp

Filesize
1.6MB

Download