Overview

overview

10

Static

static

3

Attachments.lnk

windows7-x64

10

Attachments.lnk

windows10-2004-x64

10

DumpStack.dll

windows7-x64

1

DumpStack.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    165s
  • max time network
    187s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-04-2024 11:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Attachments.lnk

  • Size

    1KB

  • MD5

    e87e52db1aa360baf8444c5524dd2b26

  • SHA1

    b89d0c4568c74f03ec3e1917c22a83c37409b10a

  • SHA256

    6497223d35530f2e510382aa1866b83ffaf215213b8080b7ecb299b6e7e3e6b1

  • SHA512

    e93d7808c29ec45569382ee5bd2f50a41c0cf1c1d2cbb909d5aec2abf166f0ad87b672eaa4a1c00b28eb31faf55f1a254d8ab842bcb4d22dd750b26926e7c64a

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3628
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Windows\system32\xcopy.exe
        xcopy /y DumpStack.log c:\programdata\
        3⤵
          PID:4448
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload
          3⤵
          • Loads dropped DLL
          PID:3448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:4364

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\programdata\DumpStack.log
        Filesize

        216KB

        MD5

        85326ee9659fc5bf82c6d71b74f02684

        SHA1

        f2bd6c53e806861256285bb1c0d51312a10267a8

        SHA256

        ca3c7c4b570751c0dbf9063a23035967dfca4a2c7a8ce6bb2997439257ac6f10

        SHA512

        43b621dc4169a370241423c3775a1ac9ea83fb4df73111cb396b149f79a9d51122c5f3f8f1158482feefe62d45af741d04540e4578f84e613f0a5c668d41cf0b

        Download Submit
      • memory/3448-5-0x0000000180000000-0x000000018003D000-memory.dmp
        Filesize

        244KB

        Download