Analysis
-
max time kernel
140s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 12:43
Static task
static1
Behavioral task
behavioral1
Sample
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll
Resource
win10v2004-20240226-en
General
-
Target
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll
-
Size
282KB
-
MD5
c9d38b122b2a987945b6fae866bc0dcb
-
SHA1
247beb05c9c3db2e48eb47f977b84d7af1ecb542
-
SHA256
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26
-
SHA512
3e77bcf0e4c0bbed2ce8b5ad6df7e8163c6d2474547c3c2ee32e924d6a7a198d15fbfd90992539247d123d829c3cba8c2101c340f10f6867ad9da38171cc0d5e
-
SSDEEP
6144:lxeJo5DgX1mRit9vLbgK6Adm+c6KZH2JGP9XtkE/OWm:LekD82GvYRAYYKZGGJtk+G
Malware Config
Extracted
bazarloader
87.121.52.79
31.13.195.90
87.120.37.173
31.13.195.87
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 628 wrote to memory of 5064 628 rundll32.exe cmd.exe PID 628 wrote to memory of 5064 628 rundll32.exe cmd.exe PID 5064 wrote to memory of 1896 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 1896 5064 cmd.exe PING.EXE PID 5064 wrote to memory of 3448 5064 cmd.exe rundll32.exe PID 5064 wrote to memory of 3448 5064 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ping 127.0.0.1 -n 8 -i 123 -4 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll", #1 ZF3bI6aD VI0rr2aG & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 8 -i 123 -43⤵
- Runs ping.exe
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26.dll", #1 ZF3bI6aD VI0rr2aG3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-0-0x00007FF4C0F30000-0x00007FF4C0F50000-memory.dmpFilesize
128KB
-
memory/628-1-0x00007FF4C0F30000-0x00007FF4C0F50000-memory.dmpFilesize
128KB
-
memory/628-2-0x00007FF4C0F30000-0x00007FF4C0F50000-memory.dmpFilesize
128KB
-
memory/3448-3-0x00007FF4E45D0000-0x00007FF4E45F0000-memory.dmpFilesize
128KB
-
memory/3448-4-0x00007FF4E45D0000-0x00007FF4E45F0000-memory.dmpFilesize
128KB