bazarloader | 50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProgramData/huqvg/huqvg.exe
Size

236KB
MD5

efa4b2e7d7016a1f80efff5840de3a18
SHA1

04606786daa6313867c7ada1f0c9c925d9b602fb
SHA256

291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA512

11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
SSDEEP

6144:NgsO6Xkm0RsQNCR/JG+z5nLGcKYp05dMgSsXMH7/wrtKHRAwrcKxN:7GRsQ6RLhLGO05dMgrXwTKtKxA5w

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

vacationinsydney2021.bazar

bestsightsofwildaustralia.bazar

sydneynewtours.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2388-2-0x0000000180000000-0x0000000180032000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

ZCUEC0.exeZCUEC0.exe

pid process

2824 ZCUEC0.exe
1032 ZCUEC0.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

2692 cmd.exe
2692 cmd.exe
400 cmd.exe
400 cmd.exe

pid	process
2824	ZCUEC0.exe
1032	ZCUEC0.exe

pid	process
2692	cmd.exe
2692	cmd.exe
400	cmd.exe
400	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ZCUEC0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\V7KMT82MD = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v HH4OHMRRW7 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCUEC0.exe\\\" NLI7RQB\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCUEC0.exe\" NLI7RQB"	ZCUEC0.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2792 PING.EXE
1900 PING.EXE
2072 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

huqvg.exe

pid process

2388 huqvg.exe

pid	process
2792	PING.EXE
1900	PING.EXE
2072	PING.EXE

pid	process
2388	huqvg.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

huqvg.execmd.exehuqvg.execmd.exeZCUEC0.execmd.exe

description	pid	process	target process
PID 2388 wrote to memory of 2600	2388	huqvg.exe	cmd.exe
PID 2388 wrote to memory of 2600	2388	huqvg.exe	cmd.exe
PID 2388 wrote to memory of 2600	2388	huqvg.exe	cmd.exe
PID 2600 wrote to memory of 2072	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2072	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2072	2600	cmd.exe	PING.EXE
PID 2600 wrote to memory of 2652	2600	cmd.exe	huqvg.exe
PID 2600 wrote to memory of 2652	2600	cmd.exe	huqvg.exe
PID 2600 wrote to memory of 2652	2600	cmd.exe	huqvg.exe
PID 2652 wrote to memory of 2692	2652	huqvg.exe	cmd.exe
PID 2652 wrote to memory of 2692	2652	huqvg.exe	cmd.exe
PID 2652 wrote to memory of 2692	2652	huqvg.exe	cmd.exe
PID 2692 wrote to memory of 2792	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2792	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2792	2692	cmd.exe	PING.EXE
PID 2692 wrote to memory of 2824	2692	cmd.exe	ZCUEC0.exe
PID 2692 wrote to memory of 2824	2692	cmd.exe	ZCUEC0.exe
PID 2692 wrote to memory of 2824	2692	cmd.exe	ZCUEC0.exe
PID 2824 wrote to memory of 400	2824	ZCUEC0.exe	cmd.exe
PID 2824 wrote to memory of 400	2824	ZCUEC0.exe	cmd.exe
PID 2824 wrote to memory of 400	2824	ZCUEC0.exe	cmd.exe
PID 400 wrote to memory of 1900	400	cmd.exe	PING.EXE
PID 400 wrote to memory of 1900	400	cmd.exe	PING.EXE
PID 400 wrote to memory of 1900	400	cmd.exe	PING.EXE
PID 400 wrote to memory of 1032	400	cmd.exe	ZCUEC0.exe
PID 400 wrote to memory of 1032	400	cmd.exe	ZCUEC0.exe
PID 400 wrote to memory of 1032	400	cmd.exe	ZCUEC0.exe

C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe
"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe LGPDB
2⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:2072

C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe LGPDB
3⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe ZY3E
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:2792

C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe ZY3E
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe NLI7RQB
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:1900

C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe NLI7RQB
7⤵
- Executes dropped EXE
PID:1032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\ZCUEC0.exe
Filesize
236KB

MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
memory/2388-0-0x0000000000420000-0x0000000000423000-memory.dmp

Filesize
12KB

Download
memory/2388-1-0x0000000000460000-0x0000000000462000-memory.dmp

Filesize
8KB

Download
memory/2388-2-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download