Analysis
-
max time kernel
139s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 12:35
Static task
static1
Behavioral task
behavioral1
Sample
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
Resource
win10v2004-20240226-en
General
-
Target
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
-
Size
1.6MB
-
MD5
9920efd01b889d5d4143494896af7a5b
-
SHA1
b4368491e0ddc00c2b7e3be6011a9c0f35e11cc7
-
SHA256
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad
-
SHA512
b6169838cd207f2515471beed2c85d9f476e4e6c320926f0fc7e398093099fc2e944a2f4f83ec2f5e4c6c956429407ec1d22b52f8e8e6f95c99f1f5864040a7b
-
SSDEEP
24576:NxW7qQxzdXXFpudHeKJnQn65Loehn4zfOMk:Nc7rxpXXFpudHej04zfOb
Malware Config
Extracted
bazarloader
164.90.221.57
164.90.213.219
159.223.21.94
164.90.213.227
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 2704 wrote to memory of 2796 2704 rundll32.exe cmd.exe PID 2704 wrote to memory of 2796 2704 rundll32.exe cmd.exe PID 2704 wrote to memory of 2796 2704 rundll32.exe cmd.exe PID 2796 wrote to memory of 2396 2796 cmd.exe choice.exe PID 2796 wrote to memory of 2396 2796 cmd.exe choice.exe PID 2796 wrote to memory of 2396 2796 cmd.exe choice.exe PID 2796 wrote to memory of 2800 2796 cmd.exe rundll32.exe PID 2796 wrote to memory of 2800 2796 cmd.exe rundll32.exe PID 2796 wrote to memory of 2800 2796 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c choice /n /c y /d y /t 9 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll", #1 wdtbkqfe koorgsfd & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /n /c y /d y /t 93⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll", #1 wdtbkqfe koorgsfd3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2704-0-0x0000000000190000-0x00000000001AF000-memory.dmpFilesize
124KB
-
memory/2704-1-0x0000000000190000-0x00000000001AF000-memory.dmpFilesize
124KB
-
memory/2704-2-0x0000000000190000-0x00000000001AF000-memory.dmpFilesize
124KB
-
memory/2800-3-0x00000000001A0000-0x00000000001BF000-memory.dmpFilesize
124KB
-
memory/2800-4-0x00000000001A0000-0x00000000001BF000-memory.dmpFilesize
124KB