Overview
overview
10Static
static
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...et.exe
windows7-x64
10bazaar.202...et.exe
windows10-2004-x64
10bazaar.202...lf.exe
windows7-x64
10bazaar.202...lf.exe
windows10-2004-x64
10bazaar.202...lf.exe
windows7-x64
10bazaar.202...lf.exe
windows10-2004-x64
10bazaar.202...it.exe
windows7-x64
9bazaar.202...it.exe
windows10-2004-x64
10bazaar.202...nt.exe
windows7-x64
10bazaar.202...nt.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
1bazaar.202...an.exe
windows10-2004-x64
1bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10bazaar.202...an.exe
windows7-x64
10bazaar.202...an.exe
windows10-2004-x64
10Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
bazaar.2020.02/Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
bazaar.2020.02/Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
bazaar.2020.02/Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
bazaar.2020.02/Backdoor.Win32.DarkKomet.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
bazaar.2020.02/Backdoor.Win32.Delf.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
bazaar.2020.02/Backdoor.Win32.Parazit.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
bazaar.2020.02/Backdoor.Win32.Parazit.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Agent.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral21
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240729-en
Behavioral task
behavioral26
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
Resource
win7-20240903-en
General
-
Target
bazaar.2020.02/HEUR-Backdoor.MSIL.Crysan.exe
-
Size
46KB
-
MD5
ceef7b8296b733da0be864ccdf41ce77
-
SHA1
c66de07f66ace03ef1e140c8e46525c27df94b04
-
SHA256
5515739bd8752264b7ee2a2c9b957d36af9fb16b19d7dd1aef4139f2fe74af47
-
SHA512
62241a9b37933edd4c751316c9cc8a8b195766d81baab7d5b2ef3a532c464e6d76fe9d781ac94c1aff587052a3d9e18478e509e51313656bc2db2b38df792c70
-
SSDEEP
768:vqdwSbXx6csbXkOicvHk3eHlWMPbPgF0qybI6QolYI6OCC2tYcFmVc6K:vJbXXvZH0ub4FrybI6Qm6OnKmVcl
Malware Config
Extracted
asyncrat
0.5.6A
null
sam144169-56334.portmap.io:56334
sam144169-56334.portmap.io:5552
sam144169-56334.portmap.io:5050
webforma.chickenkiller.com:56334
webforma.chickenkiller.com:5552
webforma.chickenkiller.com:5050
webdata.ddns.net:56334
webdata.ddns.net:5552
webdata.ddns.net:5050
xOUgFqeTTggB
-
delay
5
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2804 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2936 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2852 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 664 HEUR-Backdoor.MSIL.Crysan.exe 2804 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 664 HEUR-Backdoor.MSIL.Crysan.exe Token: SeDebugPrivilege 2804 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 664 wrote to memory of 2852 664 HEUR-Backdoor.MSIL.Crysan.exe 29 PID 664 wrote to memory of 2852 664 HEUR-Backdoor.MSIL.Crysan.exe 29 PID 664 wrote to memory of 2852 664 HEUR-Backdoor.MSIL.Crysan.exe 29 PID 664 wrote to memory of 2968 664 HEUR-Backdoor.MSIL.Crysan.exe 31 PID 664 wrote to memory of 2968 664 HEUR-Backdoor.MSIL.Crysan.exe 31 PID 664 wrote to memory of 2968 664 HEUR-Backdoor.MSIL.Crysan.exe 31 PID 2968 wrote to memory of 2936 2968 cmd.exe 33 PID 2968 wrote to memory of 2936 2968 cmd.exe 33 PID 2968 wrote to memory of 2936 2968 cmd.exe 33 PID 2968 wrote to memory of 2804 2968 cmd.exe 34 PID 2968 wrote to memory of 2804 2968 cmd.exe 34 PID 2968 wrote to memory of 2804 2968 cmd.exe 34 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Crysan.exe"C:\Users\Admin\AppData\Local\Temp\bazaar.2020.02\HEUR-Backdoor.MSIL.Crysan.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'svchost"' /tr "'C:\Users\Admin\AppData\Roaming\svchost.exe"'2⤵
- Scheduled Task/Job: Scheduled Task
PID:2852
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4CAA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2936
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD5e388c3c8ca2da09843f419c5d4748f4f
SHA19d7b95a66ba537ba01af5e5cb84d234a4442cbfb
SHA256df4ee3a0a90dc847358bef9f33cf6d5dfa71e90d711bbd260f8ad0ed93934133
SHA51245231d9de5f201b501f8eb93c7c75d00c9a30335a58005172d825042c01501e3d68c6513911f610497420b0ccadc945fac8f98f32d2d58d440f4c7c332e90416
-
Filesize
48.3MB
MD5d8bff49450fa4f3345f04d1e10f8c295
SHA1b9a3873d0d9c59c7796d75391425e9d8fff2728d
SHA25636e199c619f467417fa7e81023fe697bc58b87c35c301bbc86b78d20643384bb
SHA512fd7df914ba74003ecf85cb110342c35374ade9787e301cf6e01d74a2908a3183f708caba82e21e816838f85d5efda5e9c1a013a256a2faa5fe5cb5ef211533b7