Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10/04/2024, 12:35
Static task
static1
Behavioral task
behavioral1
Sample
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
Resource
win10v2004-20240226-en
General
-
Target
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
-
Size
1.6MB
-
MD5
9920efd01b889d5d4143494896af7a5b
-
SHA1
b4368491e0ddc00c2b7e3be6011a9c0f35e11cc7
-
SHA256
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad
-
SHA512
b6169838cd207f2515471beed2c85d9f476e4e6c320926f0fc7e398093099fc2e944a2f4f83ec2f5e4c6c956429407ec1d22b52f8e8e6f95c99f1f5864040a7b
-
SSDEEP
24576:NxW7qQxzdXXFpudHeKJnQn65Loehn4zfOMk:Nc7rxpXXFpudHej04zfOb
Malware Config
Extracted
bazarloader
164.90.221.57
164.90.213.219
159.223.21.94
164.90.213.227
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Delays execution with timeout.exe 1 IoCs
pid Process 3408 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4288 wrote to memory of 1712 4288 rundll32.exe 97 PID 4288 wrote to memory of 1712 4288 rundll32.exe 97 PID 1712 wrote to memory of 3408 1712 cmd.exe 99 PID 1712 wrote to memory of 3408 1712 cmd.exe 99 PID 1712 wrote to memory of 4128 1712 cmd.exe 100 PID 1712 wrote to memory of 4128 1712 cmd.exe 100
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\system32\cmd.execmd /c timeout 6 /nobreak > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll", #1 pfabigas liarrrav & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\timeout.exetimeout 6 /nobreak3⤵
- Delays execution with timeout.exe
PID:3408
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll", #1 pfabigas liarrrav3⤵PID:4128
-
-