bazarloader | c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Analysis

max time kernel
125s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/04/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Attachments.lnk
Size

1KB
MD5

e87e52db1aa360baf8444c5524dd2b26
SHA1

b89d0c4568c74f03ec3e1917c22a83c37409b10a
SHA256

6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1
SHA512

e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2576-41-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 8 IoCs

flow	pid	Process
3	2576	rundll32.exe
5	2576	rundll32.exe
6	2576	rundll32.exe
9	2576	rundll32.exe
10	2576	rundll32.exe
11	2576	rundll32.exe
13	2576	rundll32.exe
14	2576	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
2576	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2764	1628	cmd.exe	29
PID 1628 wrote to memory of 2764	1628	cmd.exe	29
PID 1628 wrote to memory of 2764	1628	cmd.exe	29
PID 2764 wrote to memory of 2528	2764	cmd.exe	30
PID 2764 wrote to memory of 2528	2764	cmd.exe	30
PID 2764 wrote to memory of 2528	2764	cmd.exe	30
PID 2764 wrote to memory of 2576	2764	cmd.exe	31
PID 2764 wrote to memory of 2576	2764	cmd.exe	31
PID 2764 wrote to memory of 2576	2764	cmd.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\xcopy.exe
    xcopy /y DumpStack.log c:\programdata\
    3⤵
    PID:2528
- - C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\programdata\DumpStack.log

Filesize
216KB

MD5
f948fe3f01333c0326d4dd598e4945c0

SHA1
70a619d1b2acbf969b44aded654d6a9257465e2b

SHA256
f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb

SHA512
9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

Download Submit
memory/2576-41-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download