Overview
overview
10Static
static
8ProgramDat...vg.exe
windows7-x64
10ProgramDat...vg.exe
windows10-2004-x64
10Users/Public/4123.dll
windows7-x64
10Users/Public/4123.dll
windows10-2004-x64
10Users/Publ...3.xlsb
windows7-x64
1Users/Publ...3.xlsb
windows10-2004-x64
1Users/wilm...mp.dll
windows7-x64
10Users/wilm...mp.dll
windows10-2004-x64
10Users/wilm...3.xlsb
windows7-x64
10Users/wilm...3.xlsb
windows10-2004-x64
10Windows/Te...64.exe
windows7-x64
1Windows/Te...64.exe
windows10-2004-x64
1Windows/Te...64.exe
windows7-x64
7Windows/Te...64.exe
windows10-2004-x64
1Windows/Te...64.exe
windows7-x64
7Windows/Te...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
132s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 11:22
Behavioral task
behavioral1
Sample
ProgramData/huqvg/huqvg.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ProgramData/huqvg/huqvg.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
Users/Public/4123.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Users/Public/4123.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
Users/Public/4123.xlsb
Resource
win7-20240611-en
Behavioral task
behavioral6
Sample
Users/Public/4123.xlsb
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
Windows/Temp/adf/anchorAsjuster_x64.exe
Resource
win7-20240508-en
Behavioral task
behavioral12
Sample
Windows/Temp/adf/anchorAsjuster_x64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
Windows/Temp/adf/anchorDNS_x64.exe
Resource
win7-20240419-en
Behavioral task
behavioral14
Sample
Windows/Temp/adf/anchorDNS_x64.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
Windows/Temp/adf/anchor_x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
Windows/Temp/adf/anchor_x64.exe
Resource
win10v2004-20240611-en
General
-
Target
ProgramData/huqvg/huqvg.exe
-
Size
236KB
-
MD5
efa4b2e7d7016a1f80efff5840de3a18
-
SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb
-
SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
-
SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
SSDEEP
6144:NgsO6Xkm0RsQNCR/JG+z5nLGcKYp05dMgSsXMH7/wrtKHRAwrcKxN:7GRsQ6RLhLGO05dMgrXwTKtKxA5w
Malware Config
Extracted
bazarloader
vacationinsydney2021.bazar
bestsightsofwildaustralia.bazar
sydneynewtours.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/4840-2-0x0000000180000000-0x0000000180032000-memory.dmp BazarLoaderVar1 -
Executes dropped EXE 2 IoCs
pid Process 5012 V2T35B1.exe 1696 V2T35B1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\N25LKZ5PURO = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v JV9P0E8X /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V2T35B1.exe\\\" RMBCR\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\V2T35B1.exe\" RMBCR" V2T35B1.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 4568 PING.EXE 1356 PING.EXE 3208 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4840 huqvg.exe 4840 huqvg.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4840 wrote to memory of 5024 4840 huqvg.exe 94 PID 4840 wrote to memory of 5024 4840 huqvg.exe 94 PID 5024 wrote to memory of 3208 5024 cmd.exe 96 PID 5024 wrote to memory of 3208 5024 cmd.exe 96 PID 5024 wrote to memory of 960 5024 cmd.exe 98 PID 5024 wrote to memory of 960 5024 cmd.exe 98 PID 960 wrote to memory of 4548 960 huqvg.exe 100 PID 960 wrote to memory of 4548 960 huqvg.exe 100 PID 4548 wrote to memory of 4568 4548 cmd.exe 102 PID 4548 wrote to memory of 4568 4548 cmd.exe 102 PID 4548 wrote to memory of 5012 4548 cmd.exe 103 PID 4548 wrote to memory of 5012 4548 cmd.exe 103 PID 5012 wrote to memory of 3880 5012 V2T35B1.exe 105 PID 5012 wrote to memory of 3880 5012 V2T35B1.exe 105 PID 3880 wrote to memory of 1356 3880 cmd.exe 107 PID 3880 wrote to memory of 1356 3880 cmd.exe 107 PID 3880 wrote to memory of 1696 3880 cmd.exe 108 PID 3880 wrote to memory of 1696 3880 cmd.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe PUOIU912⤵
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe
PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exeC:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe PUOIU913⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe VVSHBC4⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 25⤵
- Runs ping.exe
PID:4568
-
-
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exeC:\Users\Admin\AppData\Local\Temp\V2T35B1.exe VVSHBC5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe RMBCR6⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 27⤵
- Runs ping.exe
PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exeC:\Users\Admin\AppData\Local\Temp\V2T35B1.exe RMBCR7⤵
- Executes dropped EXE
PID:1696
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5efa4b2e7d7016a1f80efff5840de3a18
SHA104606786daa6313867c7ada1f0c9c925d9b602fb
SHA256291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA51211446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced