Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
115s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/04/2024, 05:38
Static task
static1
Behavioral task
behavioral1
Sample
1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Documents.lnk
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Documents.lnk
Resource
win10v2004-20240226-en
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
ec51abdb23fa981e42880f7f5b14e3cb
-
SHA1
23d8a6518881e1a674f61c8770f1d61fb41a028a
-
SHA256
8af83f0076068afdb43cab960420aaf65d8babbe122fde780f8db33fce19a636
-
SHA512
e6b7441c0cf7e5a2c342a6980debf0f29747178f908979abeb8becaa087c71d10c5a181922ab46c576424ec1cc75085d2effec74def59ecb38701dd832585ebf
Malware Config
Extracted
bazarloader
167.172.108.158
64.227.66.10
134.209.91.22
167.172.108.213
blackrain15.bazar
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 232 PING.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4392 wrote to memory of 2092 4392 cmd.exe 93 PID 4392 wrote to memory of 2092 4392 cmd.exe 93 PID 2092 wrote to memory of 1920 2092 rundll32.exe 105 PID 2092 wrote to memory of 1920 2092 rundll32.exe 105 PID 1920 wrote to memory of 232 1920 cmd.exe 107 PID 1920 wrote to memory of 232 1920 cmd.exe 107 PID 1920 wrote to memory of 3668 1920 cmd.exe 108 PID 1920 wrote to memory of 3668 1920 cmd.exe 108
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" 1.dll,EnterDll2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\System32\cmd.execmd /c ping 192.0.2.221 -n 6 -i 116 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\1.dll", EnterDll pfabigas liarrrav & exit3⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\system32\PING.EXEping 192.0.2.221 -n 6 -i 116 -w 10004⤵
- Runs ping.exe
PID:232
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\1.dll", EnterDll pfabigas liarrrav4⤵PID:3668
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3804 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:81⤵PID:4480