Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
15-03-2024 06:52
Static task
static1
Behavioral task
behavioral1
Sample
bakjr.exe
Resource
win10-20240221-en
General
-
Target
bakjr.exe
-
Size
248KB
-
MD5
bb5ef523f0bf243790b6c67dd77ee986
-
SHA1
cbfe325c2101c5f76a3675b23b459eeb641eecb6
-
SHA256
c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
-
SHA512
eb9ffe004187d6174cf0cc2f85184e5a524546e1bc7139c1f16147049eadbd92f94818ea618370450779753c87d8349efe255244eef2450e16f9446799cdeef2
-
SSDEEP
6144:dL8d+BxlwJG25dgtNZfWjBVyRaViIboK:diilKG2ypWjBwjIsK
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3036-0-0x000002BAF0CD0000-0x000002BAF0D0D000-memory.dmp BazarLoaderVar6 behavioral1/memory/4744-11-0x000002DA46A10000-0x000002DA46A4D000-memory.dmp BazarLoaderVar6 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 58 yrixekex.bazar 60 avraygex.bazar 73 onuxekud.bazar 108 walewyud.bazar 141 erwoekex.bazar 56 wawoekso.bazar 69 ewoxygyr.bazar 34 bestsightsofwildaustralia.bazar 72 erxowyso.bazar 90 viwoavso.bazar 111 ywquwyyr.bazar 115 wysiavud.bazar 143 ewkywyso.bazar 117 soanekyr.bazar 38 ewoxekex.bazar 46 reezwyso.bazar 50 udixwyud.bazar 81 avgyavso.bazar 92 erixwyyr.bazar 113 viezygyr.bazar 53 yrwoygud.bazar 75 mexiygyr.bazar 99 meohygyr.bazar 119 udxiwyso.bazar 106 omohavud.bazar 107 udleygso.bazar 39 waixavso.bazar 48 avsiygso.bazar 51 touxwyso.bazar 64 rewowyex.bazar 86 meqawyso.bazar 100 omohavex.bazar 112 ewdiekyr.bazar 118 udanygud.bazar 137 omuxwyso.bazar 35 sydneynewtours.bazar 63 vianekyr.bazar 79 sowoekyr.bazar 101 ywkywyud.bazar 120 omapekex.bazar 104 viezavex.bazar 55 wyquavyr.bazar 57 omxoekyr.bazar 87 ekdiekyr.bazar 89 erwowyso.bazar 91 erezwyex.bazar 96 ygixekex.bazar 65 ywxoavex.bazar 77 ywuxwyso.bazar 98 ewxiavso.bazar 130 wauxwyex.bazar 146 yzdiavso.bazar 41 udkyygso.bazar 54 onoxygso.bazar 67 evanekud.bazar 109 ekanekud.bazar 33 vacationinsydney2021.bazar 42 ekdiygso.bazar 80 avaswyyr.bazar 110 onohygex.bazar 97 yzoxygex.bazar 40 rediekex.bazar 59 viuxekex.bazar 66 ygdiekyr.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 195.10.195.195 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 185.181.61.24 Destination IP 185.181.61.24 Destination IP 70.34.254.19 Destination IP 70.34.254.19 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 17 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 4212 WINWORD.EXE 4212 WINWORD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 3044 OpenWith.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
OpenWith.exeWINWORD.EXEpid process 3044 OpenWith.exe 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE 4212 WINWORD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\bakjr.exe"C:\Users\Admin\AppData\Local\Temp\bakjr.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\bakjr.exeC:\Users\Admin\AppData\Local\Temp\bakjr.exe 32997552331⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompleteSuspend.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3036-0-0x000002BAF0CD0000-0x000002BAF0D0D000-memory.dmpFilesize
244KB
-
memory/4212-45-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-32-0x00007FFC38320000-0x00007FFC38330000-memory.dmpFilesize
64KB
-
memory/4212-47-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-33-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-35-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-34-0x00007FFC38320000-0x00007FFC38330000-memory.dmpFilesize
64KB
-
memory/4212-37-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-39-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-40-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-38-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-36-0x00007FFC38320000-0x00007FFC38330000-memory.dmpFilesize
64KB
-
memory/4212-42-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-43-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-46-0x00007FFC34810000-0x00007FFC34820000-memory.dmpFilesize
64KB
-
memory/4212-66-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-31-0x00007FFC38320000-0x00007FFC38330000-memory.dmpFilesize
64KB
-
memory/4212-48-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-49-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-50-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-51-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-52-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-54-0x00007FFC34810000-0x00007FFC34820000-memory.dmpFilesize
64KB
-
memory/4212-53-0x00007FFC75B00000-0x00007FFC75BAE000-memory.dmpFilesize
696KB
-
memory/4212-55-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-57-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-59-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-61-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-63-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4212-65-0x00007FFC78290000-0x00007FFC7846B000-memory.dmpFilesize
1.9MB
-
memory/4744-11-0x000002DA46A10000-0x000002DA46A4D000-memory.dmpFilesize
244KB