Analysis
-
max time kernel
128s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-04-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll
Resource
win10v2004-20240226-en
General
-
Target
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll
-
Size
282KB
-
MD5
c9d38b122b2a987945b6fae866bc0dcb
-
SHA1
247beb05c9c3db2e48eb47f977b84d7af1ecb542
-
SHA256
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26
-
SHA512
3e77bcf0e4c0bbed2ce8b5ad6df7e8163c6d2474547c3c2ee32e924d6a7a198d15fbfd90992539247d123d829c3cba8c2101c340f10f6867ad9da38171cc0d5e
-
SSDEEP
6144:lxeJo5DgX1mRit9vLbgK6Adm+c6KZH2JGP9XtkE/OWm:LekD82GvYRAYYKZGGJtk+G
Malware Config
Extracted
bazarloader
87.121.52.79
31.13.195.90
87.120.37.173
31.13.195.87
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 2988 wrote to memory of 1664 2988 rundll32.exe cmd.exe PID 2988 wrote to memory of 1664 2988 rundll32.exe cmd.exe PID 2988 wrote to memory of 1664 2988 rundll32.exe cmd.exe PID 1664 wrote to memory of 2160 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 2160 1664 cmd.exe PING.EXE PID 1664 wrote to memory of 2160 1664 cmd.exe PING.EXE PID 2988 wrote to memory of 908 2988 rundll32.exe WerFault.exe PID 2988 wrote to memory of 908 2988 rundll32.exe WerFault.exe PID 2988 wrote to memory of 908 2988 rundll32.exe WerFault.exe PID 1664 wrote to memory of 1768 1664 cmd.exe rundll32.exe PID 1664 wrote to memory of 1768 1664 cmd.exe rundll32.exe PID 1664 wrote to memory of 1768 1664 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 192.0.2.105 -n 9 -i 36 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll", #1 wD6bUqfE kO5rG7fD & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 192.0.2.105 -n 9 -i 36 -w 10003⤵
- Runs ping.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll", #1 wD6bUqfE kO5rG7fD3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2988 -s 1202⤵