Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 13:00
Static task
static1
Behavioral task
behavioral1
Sample
Attachments.lnk
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Attachments.lnk
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
DumpStack.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
DumpStack.dll
Resource
win10v2004-20240226-en
General
-
Target
Attachments.lnk
-
Size
1KB
-
MD5
e87e52db1aa360baf8444c5524dd2b26
-
SHA1
b89d0c4568c74f03ec3e1917c22a83c37409b10a
-
SHA256
6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1
-
SHA512
e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-40-0x0000000180000000-0x000000018003D000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 3 2768 rundll32.exe 5 2768 rundll32.exe 6 2768 rundll32.exe 7 2768 rundll32.exe 10 2768 rundll32.exe 11 2768 rundll32.exe 13 2768 rundll32.exe 14 2768 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2768 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2016 wrote to memory of 2824 2016 cmd.exe cmd.exe PID 2016 wrote to memory of 2824 2016 cmd.exe cmd.exe PID 2016 wrote to memory of 2824 2016 cmd.exe cmd.exe PID 2824 wrote to memory of 2676 2824 cmd.exe xcopy.exe PID 2824 wrote to memory of 2676 2824 cmd.exe xcopy.exe PID 2824 wrote to memory of 2676 2824 cmd.exe xcopy.exe PID 2824 wrote to memory of 2768 2824 cmd.exe rundll32.exe PID 2824 wrote to memory of 2768 2824 cmd.exe rundll32.exe PID 2824 wrote to memory of 2768 2824 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /y DumpStack.log c:\programdata\3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload3⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\programdata\DumpStack.logFilesize
217KB
MD5f7047fdbd3cd218b55cf4e2d6b9fb4f0
SHA1a9c1e9a78934c9cfa2dbb6562ca8cdb9d67bbb05
SHA2564bc9368951402ceeeb84da58c82e02a4ea9e09f5a4425daf5094ea5d87a14e9a
SHA512950f4bde7f04a581496df019719074fa4516ce0bd7ace547a77bbb069467816b4c42236b6f23c4fd476ac74c907fa764861c9422c832c7910ed651b6445138f1
-
memory/2768-40-0x0000000180000000-0x000000018003D000-memory.dmpFilesize
244KB