bazarloader | 60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 06:48

Target

52d3254224b69b3ce75f3115619eb0d7.dll
Size

431KB
MD5

52d3254224b69b3ce75f3115619eb0d7
SHA1

2cebca2f2eb7e24b8b5ad1a75acfbdc9fc6dadca
SHA256

60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
SHA512

00b1b154db74ad942badcb64ba639adb9e5ca85896e8a31630146ba43aa076ef08dc36f245733bb9fe7faaef7b19e86c075ad15e3a3ddf3b099768fd94dec03f
SSDEEP

6144:hh8rsk6YD+oR9XQPzllSJ23WQHcmMOjT/rCtWeOLI007rxqhy4ES5DGxa+7U0/t:hOtyPzzSQ3WEcXOHzt5INqntV+A

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2204-0-0x0000000001EA0000-0x00000000020E7000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2204-1-0x0000000001EA0000-0x00000000020E7000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2204-2-0x0000000001EA0000-0x00000000020E7000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2916-3-0x0000000001EF0000-0x0000000002137000-memory.dmp	BazarLoaderVar3
behavioral1/memory/2916-4-0x0000000001EF0000-0x0000000002137000-memory.dmp	BazarLoaderVar3

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1004 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

regsvr32.exe

pid process

2916 regsvr32.exe

pid	process
1004	PING.EXE

pid	process
2916	regsvr32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

regsvr32.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2432	2204	regsvr32.exe	cmd.exe
PID 2204 wrote to memory of 2432	2204	regsvr32.exe	cmd.exe
PID 2204 wrote to memory of 2432	2204	regsvr32.exe	cmd.exe
PID 2432 wrote to memory of 1004	2432	cmd.exe	PING.EXE
PID 2432 wrote to memory of 1004	2432	cmd.exe	PING.EXE
PID 2432 wrote to memory of 1004	2432	cmd.exe	PING.EXE
PID 2432 wrote to memory of 2916	2432	cmd.exe	regsvr32.exe
PID 2432 wrote to memory of 2916	2432	cmd.exe	regsvr32.exe
PID 2432 wrote to memory of 2916	2432	cmd.exe	regsvr32.exe
PID 2432 wrote to memory of 2916	2432	cmd.exe	regsvr32.exe
PID 2432 wrote to memory of 2916	2432	cmd.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\52d3254224b69b3ce75f3115619eb0d7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\52d3254224b69b3ce75f3115619eb0d7.dll" mscp ahis & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 8
    3⤵
    - Runs ping.exe
    PID:1004
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\52d3254224b69b3ce75f3115619eb0d7.dll" mscp ahis
    3⤵
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2916

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2204-0-0x0000000001EA0000-0x00000000020E7000-memory.dmp

Filesize
2.3MB

Download
memory/2204-1-0x0000000001EA0000-0x00000000020E7000-memory.dmp

Filesize
2.3MB

Download
memory/2204-2-0x0000000001EA0000-0x00000000020E7000-memory.dmp

Filesize
2.3MB

Download
memory/2916-3-0x0000000001EF0000-0x0000000002137000-memory.dmp

Filesize
2.3MB

Download
memory/2916-4-0x0000000001EF0000-0x0000000002137000-memory.dmp

Filesize
2.3MB

Download