Overview

overview

10

Static

static

3

1.dll

windows7-x64

10

1.dll

windows10-2004-x64

10

Documents.lnk

windows7-x64

10

Documents.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2024 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Documents.lnk

  • Size

    1KB

  • MD5

    ec51abdb23fa981e42880f7f5b14e3cb

  • SHA1

    23d8a6518881e1a674f61c8770f1d61fb41a028a

  • SHA256

    8af83f0076068afdb43cab960420aaf65d8babbe122fde780f8db33fce19a636

  • SHA512

    e6b7441c0cf7e5a2c342a6980debf0f29747178f908979abeb8becaa087c71d10c5a181922ab46c576424ec1cc75085d2effec74def59ecb38701dd832585ebf

Score
10/10
bazarloaderdropperloader

Malware Config

Extracted

Family

bazarloader

C2

167.172.108.158

64.227.66.10

134.209.91.22

167.172.108.213

blackrain15.bazar

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" 1.dll,EnterDll
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Windows\System32\cmd.exe
        cmd /c timeout /t 5 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\1.dll", EnterDll wdtbkqfe koorgsfd & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2500
        • C:\Windows\system32\timeout.exe
          timeout /t 5
          4⤵
          • Delays execution with timeout.exe
          PID:2684
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\1.dll", EnterDll wdtbkqfe koorgsfd
          4⤵
            PID:2836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2836-39-0x0000000000530000-0x000000000054F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2836-40-0x0000000000530000-0x000000000054F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2868-36-0x00000000001A0000-0x00000000001BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2868-37-0x00000000001A0000-0x00000000001BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2868-38-0x00000000001A0000-0x00000000001BF000-memory.dmp

      Filesize

      124KB

      Download