Overview
overview
10Static
static
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...et.exe
windows7-x64
10bazaar.202...et.exe
windows10-2004-x64
10bazaar.202...lf.exe
windows7-x64
10bazaar.202...lf.exe
windows10-2004-x64
10bazaar.202...lf.exe
windows7-x64
10bazaar.202...lf.exe
windows10-2004-x64
10bazaar.202...it.exe
windows7-x64
9bazaar.202...it.exe
windows10-2004-x64
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
1bazaar.202...an.exe
windows10-2004-x64
1bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/Backdoor.Win32.Parazit.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/Backdoor.Win32.Parazit.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
General
-
Target
bazaar.2020.02/Backdoor.Win32.Parazit.exe
-
Size
48KB
-
MD5
d52448cb39e67d27dae28f60906affcc
-
SHA1
803c032ddeb9bcb46d828cf6bdc989d1a25cc660
-
SHA256
4f54c2e0def0a2a5b478220b3ddbccc3ee2a7302cddbfe0e8e1d394587589d88
-
SHA512
f5b9ada70e56f1e95dce6b95a612bf1ebef301be79328b802a7bce1e225ba78eabbaf825d8153215460625c1e6432add972f9c597a9d318973338a1a7895740d
-
SSDEEP
768:ULvM+2O7Gel5quISq41ET8n7efFKuaAu4ycpV0byA8Bw4/xv5fS5:cCvel5HnqDY6f4vBcpsraW
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo Backdoor.Win32.Parazit.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ Backdoor.Win32.Parazit.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Backdoor.Win32.Parazit.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Backdoor.Win32.Parazit.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Backdoor.Win32.Parazit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Backdoor.Win32.Parazit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Backdoor.Win32.Parazit.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine Backdoor.Win32.Parazit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\FMRYTTHQCK.exe\"" Backdoor.Win32.Parazit.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4920 set thread context of 556 4920 Backdoor.Win32.Parazit.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Backdoor.Win32.Parazit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe 4920 Backdoor.Win32.Parazit.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4920 Backdoor.Win32.Parazit.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4920 wrote to memory of 556 4920 Backdoor.Win32.Parazit.exe 81 PID 4920 wrote to memory of 556 4920 Backdoor.Win32.Parazit.exe 81 PID 4920 wrote to memory of 556 4920 Backdoor.Win32.Parazit.exe 81 PID 4920 wrote to memory of 556 4920 Backdoor.Win32.Parazit.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Backdoor.Win32.Parazit.exe"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\Backdoor.Win32.Parazit.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\syswow64\svchost.exe2⤵
- System Location Discovery: System Language Discovery
PID:556
-