bazarloader | 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-04-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Attachments.lnk
Size

1KB
MD5

e87e52db1aa360baf8444c5524dd2b26
SHA1

b89d0c4568c74f03ec3e1917c22a83c37409b10a
SHA256

6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1
SHA512

e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-40-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.exe

flow	pid	process
3	2768	rundll32.exe
5	2768	rundll32.exe
6	2768	rundll32.exe
7	2768	rundll32.exe
10	2768	rundll32.exe
11	2768	rundll32.exe
13	2768	rundll32.exe
14	2768	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2768 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2768	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 2824	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2824	2016	cmd.exe	cmd.exe
PID 2016 wrote to memory of 2824	2016	cmd.exe	cmd.exe
PID 2824 wrote to memory of 2676	2824	cmd.exe	xcopy.exe
PID 2824 wrote to memory of 2676	2824	cmd.exe	xcopy.exe
PID 2824 wrote to memory of 2676	2824	cmd.exe	xcopy.exe
PID 2824 wrote to memory of 2768	2824	cmd.exe	rundll32.exe
PID 2824 wrote to memory of 2768	2824	cmd.exe	rundll32.exe
PID 2824 wrote to memory of 2768	2824	cmd.exe	rundll32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\xcopy.exe
xcopy /y DumpStack.log c:\programdata\
3⤵
PID:2676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2768

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\DumpStack.log
Filesize
217KB

MD5
f7047fdbd3cd218b55cf4e2d6b9fb4f0

SHA1
a9c1e9a78934c9cfa2dbb6562ca8cdb9d67bbb05

SHA256
4bc9368951402ceeeb84da58c82e02a4ea9e09f5a4425daf5094ea5d87a14e9a

SHA512
950f4bde7f04a581496df019719074fa4516ce0bd7ace547a77bbb069467816b4c42236b6f23c4fd476ac74c907fa764861c9422c832c7910ed651b6445138f1

Download Submit
memory/2768-40-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download