Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 12:35
Static task
static1
Behavioral task
behavioral1
Sample
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
Resource
win10v2004-20240226-en
General
-
Target
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll
-
Size
1.6MB
-
MD5
9920efd01b889d5d4143494896af7a5b
-
SHA1
b4368491e0ddc00c2b7e3be6011a9c0f35e11cc7
-
SHA256
8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad
-
SHA512
b6169838cd207f2515471beed2c85d9f476e4e6c320926f0fc7e398093099fc2e944a2f4f83ec2f5e4c6c956429407ec1d22b52f8e8e6f95c99f1f5864040a7b
-
SSDEEP
24576:NxW7qQxzdXXFpudHeKJnQn65Loehn4zfOMk:Nc7rxpXXFpudHej04zfOb
Malware Config
Extracted
bazarloader
164.90.221.57
164.90.213.219
159.223.21.94
164.90.213.227
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3408 timeout.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 4288 wrote to memory of 1712 4288 rundll32.exe cmd.exe PID 4288 wrote to memory of 1712 4288 rundll32.exe cmd.exe PID 1712 wrote to memory of 3408 1712 cmd.exe timeout.exe PID 1712 wrote to memory of 3408 1712 cmd.exe timeout.exe PID 1712 wrote to memory of 4128 1712 cmd.exe rundll32.exe PID 1712 wrote to memory of 4128 1712 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c timeout 6 /nobreak > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll", #1 pfabigas liarrrav & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 6 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\8d84152b69161bf5abb2f80fef310ec92cc8b1cb23dff18eebd8d039cda8f8ad.dll", #1 pfabigas liarrrav3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4128-3-0x0000022826330000-0x000002282634F000-memory.dmpFilesize
124KB
-
memory/4128-4-0x0000022826330000-0x000002282634F000-memory.dmpFilesize
124KB
-
memory/4288-0-0x000001DA566C0000-0x000001DA566DF000-memory.dmpFilesize
124KB
-
memory/4288-1-0x000001DA566C0000-0x000001DA566DF000-memory.dmpFilesize
124KB
-
memory/4288-2-0x000001DA566C0000-0x000001DA566DF000-memory.dmpFilesize
124KB