Overview
overview
10Static
static
8ProgramDat...vg.exe
windows7-x64
10ProgramDat...vg.exe
windows10-2004-x64
10Users/Public/4123.dll
windows7-x64
10Users/Public/4123.dll
windows10-2004-x64
10Users/Publ...3.xlsb
windows7-x64
1Users/Publ...3.xlsb
windows10-2004-x64
1Users/wilm...mp.dll
windows7-x64
10Users/wilm...mp.dll
windows10-2004-x64
10Users/wilm...3.xlsb
windows7-x64
10Users/wilm...3.xlsb
windows10-2004-x64
10Windows/Te...64.exe
windows7-x64
1Windows/Te...64.exe
windows10-2004-x64
1Windows/Te...64.exe
windows7-x64
7Windows/Te...64.exe
windows10-2004-x64
1Windows/Te...64.exe
windows7-x64
7Windows/Te...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 11:22
Behavioral task
behavioral1
Sample
ProgramData/huqvg/huqvg.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ProgramData/huqvg/huqvg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Users/Public/4123.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Users/Public/4123.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Users/Public/4123.xlsb
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
Users/Public/4123.xlsb
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Windows/Temp/adf/anchorAsjuster_x64.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
Windows/Temp/adf/anchorAsjuster_x64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Windows/Temp/adf/anchorDNS_x64.exe
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Windows/Temp/adf/anchorDNS_x64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Windows/Temp/adf/anchor_x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Windows/Temp/adf/anchor_x64.exe
Resource
win10v2004-20240611-en
General
-
Target
ProgramData/huqvg/huqvg.exe
-
Size
236KB
-
MD5
efa4b2e7d7016a1f80efff5840de3a18
-
SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb
-
SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
-
SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
SSDEEP
6144:NgsO6Xkm0RsQNCR/JG+z5nLGcKYp05dMgSsXMH7/wrtKHRAwrcKxN:7GRsQ6RLhLGO05dMgrXwTKtKxA5w
Malware Config
Extracted
bazarloader
vacationinsydney2021.bazar
bestsightsofwildaustralia.bazar
sydneynewtours.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/2388-2-0x0000000180000000-0x0000000180032000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
pid Process 2824 ZCUEC0.exe 1032 ZCUEC0.exe -
Loads dropped DLL 4 IoCs
pid Process 2692 cmd.exe 2692 cmd.exe 400 cmd.exe 400 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\V7KMT82MD = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v HH4OHMRRW7 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCUEC0.exe\\\" NLI7RQB\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCUEC0.exe\" NLI7RQB" ZCUEC0.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2792 PING.EXE 1900 PING.EXE 2072 PING.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2388 huqvg.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2600 2388 huqvg.exe 28 PID 2388 wrote to memory of 2600 2388 huqvg.exe 28 PID 2388 wrote to memory of 2600 2388 huqvg.exe 28 PID 2600 wrote to memory of 2072 2600 cmd.exe 30 PID 2600 wrote to memory of 2072 2600 cmd.exe 30 PID 2600 wrote to memory of 2072 2600 cmd.exe 30 PID 2600 wrote to memory of 2652 2600 cmd.exe 31 PID 2600 wrote to memory of 2652 2600 cmd.exe 31 PID 2600 wrote to memory of 2652 2600 cmd.exe 31 PID 2652 wrote to memory of 2692 2652 huqvg.exe 34 PID 2652 wrote to memory of 2692 2652 huqvg.exe 34 PID 2652 wrote to memory of 2692 2652 huqvg.exe 34 PID 2692 wrote to memory of 2792 2692 cmd.exe 36 PID 2692 wrote to memory of 2792 2692 cmd.exe 36 PID 2692 wrote to memory of 2792 2692 cmd.exe 36 PID 2692 wrote to memory of 2824 2692 cmd.exe 37 PID 2692 wrote to memory of 2824 2692 cmd.exe 37 PID 2692 wrote to memory of 2824 2692 cmd.exe 37 PID 2824 wrote to memory of 400 2824 ZCUEC0.exe 38 PID 2824 wrote to memory of 400 2824 ZCUEC0.exe 38 PID 2824 wrote to memory of 400 2824 ZCUEC0.exe 38 PID 400 wrote to memory of 1900 400 cmd.exe 40 PID 400 wrote to memory of 1900 400 cmd.exe 40 PID 400 wrote to memory of 1900 400 cmd.exe 40 PID 400 wrote to memory of 1032 400 cmd.exe 41 PID 400 wrote to memory of 1032 400 cmd.exe 41 PID 400 wrote to memory of 1032 400 cmd.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe LGPDB2⤵
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
PID:2072
-
-
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exeC:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe LGPDB3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe ZY3E4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
PID:2792
-
-
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exeC:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe ZY3E5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe NLI7RQB6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
PID:1900
-
-
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exeC:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe NLI7RQB7⤵
- Executes dropped EXE
PID:1032
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5efa4b2e7d7016a1f80efff5840de3a18
SHA104606786daa6313867c7ada1f0c9c925d9b602fb
SHA256291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA51211446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced