bazarloader | 60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7

Analysis

max time kernel
135s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 06:48

Target

52d3254224b69b3ce75f3115619eb0d7.dll
Size

431KB
MD5

52d3254224b69b3ce75f3115619eb0d7
SHA1

2cebca2f2eb7e24b8b5ad1a75acfbdc9fc6dadca
SHA256

60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
SHA512

00b1b154db74ad942badcb64ba639adb9e5ca85896e8a31630146ba43aa076ef08dc36f245733bb9fe7faaef7b19e86c075ad15e3a3ddf3b099768fd94dec03f
SSDEEP

6144:hh8rsk6YD+oR9XQPzllSJ23WQHcmMOjT/rCtWeOLI007rxqhy4ES5DGxa+7U0/t:hOtyPzzSQ3WEcXOHzt5INqntV+A

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1984-0-0x00000000025C0000-0x0000000002807000-memory.dmp	BazarLoaderVar3
behavioral2/memory/1984-1-0x00000000025C0000-0x0000000002807000-memory.dmp	BazarLoaderVar3
behavioral2/memory/1984-2-0x00000000025C0000-0x0000000002807000-memory.dmp	BazarLoaderVar3
behavioral2/memory/1420-3-0x00000000022C0000-0x0000000002507000-memory.dmp	BazarLoaderVar3
behavioral2/memory/1420-4-0x00000000022C0000-0x0000000002507000-memory.dmp	BazarLoaderVar3

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2960 PING.EXE

pid	process
2960	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

regsvr32.execmd.exe

description	pid	process	target process
PID 1984 wrote to memory of 2316	1984	regsvr32.exe	cmd.exe
PID 1984 wrote to memory of 2316	1984	regsvr32.exe	cmd.exe
PID 2316 wrote to memory of 2960	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 2960	2316	cmd.exe	PING.EXE
PID 2316 wrote to memory of 1420	2316	cmd.exe	regsvr32.exe
PID 2316 wrote to memory of 1420	2316	cmd.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\52d3254224b69b3ce75f3115619eb0d7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 8 & "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\52d3254224b69b3ce75f3115619eb0d7.dll" mscp ahis & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\52d3254224b69b3ce75f3115619eb0d7.dll" mscp ahis
    3⤵
    PID:1420

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1420-3-0x00000000022C0000-0x0000000002507000-memory.dmp

Filesize
2.3MB

Download
memory/1420-4-0x00000000022C0000-0x0000000002507000-memory.dmp

Filesize
2.3MB

Download
memory/1984-0-0x00000000025C0000-0x0000000002807000-memory.dmp

Filesize
2.3MB

Download
memory/1984-1-0x00000000025C0000-0x0000000002807000-memory.dmp

Filesize
2.3MB

Download
memory/1984-2-0x00000000025C0000-0x0000000002807000-memory.dmp

Filesize
2.3MB

Download