Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 12:19
Static task
static1
Behavioral task
behavioral1
Sample
rt3ret3(3).exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
rt3ret3(3).exe
Resource
win10v2004-20240226-en
General
-
Target
rt3ret3(3).exe
-
Size
236KB
-
MD5
efa4b2e7d7016a1f80efff5840de3a18
-
SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb
-
SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
-
SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
SSDEEP
6144:NgsO6Xkm0RsQNCR/JG+z5nLGcKYp05dMgSsXMH7/wrtKHRAwrcKxN:7GRsQ6RLhLGO05dMgrXwTKtKxA5w
Malware Config
Extracted
bazarloader
vacationinsydney2021.bazar
bestsightsofwildaustralia.bazar
sydneynewtours.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2320-2-0x0000000180000000-0x0000000180032000-memory.dmp BazarLoaderVar1 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
taskmgr.exert3ret3(3).exepid process 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2320 rt3ret3(3).exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 2800 taskmgr.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
taskmgr.exepid process 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe -
Suspicious use of SendNotifyMessage 38 IoCs
Processes:
taskmgr.exepid process 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe 2800 taskmgr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rt3ret3(3).execmd.exedescription pid process target process PID 2320 wrote to memory of 3060 2320 rt3ret3(3).exe cmd.exe PID 2320 wrote to memory of 3060 2320 rt3ret3(3).exe cmd.exe PID 2320 wrote to memory of 3060 2320 rt3ret3(3).exe cmd.exe PID 3060 wrote to memory of 2572 3060 cmd.exe PING.EXE PID 3060 wrote to memory of 2572 3060 cmd.exe PING.EXE PID 3060 wrote to memory of 2572 3060 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\rt3ret3(3).exe"C:\Users\Admin\AppData\Local\Temp\rt3ret3(3).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\rt3ret3(3).exe SK8ZDNH2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2320-0-0x0000000000120000-0x0000000000123000-memory.dmpFilesize
12KB
-
memory/2320-1-0x0000000000160000-0x0000000000162000-memory.dmpFilesize
8KB
-
memory/2320-2-0x0000000180000000-0x0000000180032000-memory.dmpFilesize
200KB
-
memory/2800-6-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB