Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-04-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
Resource
win10v2004-20240412-en
General
-
Target
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
-
Size
1.0MB
-
MD5
4334e838a1ad1e35a533d8ff6d55ea3d
-
SHA1
cb617e4af09ee90e8918fb7488337a935750a318
-
SHA256
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88
-
SHA512
0e107f77986171d13358eb780fbb3c243f1f4afbbfe5f615172e15de2bc1948932b82e592abedb03262444c81ebc86e1e2bfe7fffb3f964289a31c2f5e863dff
-
SSDEEP
24576:0z28lByb3DFSo0hs6vZ0MZ0ZvJPqljO35FhAJacjuFlewy:0K8vommMtZO35FoQm
Malware Config
Signatures
-
BunnyLoader
BunnyLoader is a loader family written in C++.
-
Detect BunnyLoader 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2692-39-0x0000000003C90000-0x0000000003CED000-memory.dmp family_bunnyloader behavioral1/memory/2692-40-0x0000000003C90000-0x0000000003CED000-memory.dmp family_bunnyloader behavioral1/memory/2692-41-0x0000000003C90000-0x0000000003CED000-memory.dmp family_bunnyloader behavioral1/memory/2692-42-0x0000000003C90000-0x0000000003CED000-memory.dmp family_bunnyloader -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
Memo.pifdescription pid process target process PID 2692 created 1368 2692 Memo.pif Explorer.EXE PID 2692 created 1368 2692 Memo.pif Explorer.EXE -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Memo.pifpid process 2692 Memo.pif -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2920 cmd.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2940 tasklist.exe 2620 tasklist.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Memo.pifpid process 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
tasklist.exetasklist.exeWMIC.exedescription pid process Token: SeDebugPrivilege 2940 tasklist.exe Token: SeDebugPrivilege 2620 tasklist.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe Token: SeIncreaseQuotaPrivilege 1736 WMIC.exe Token: SeSecurityPrivilege 1736 WMIC.exe Token: SeTakeOwnershipPrivilege 1736 WMIC.exe Token: SeLoadDriverPrivilege 1736 WMIC.exe Token: SeSystemProfilePrivilege 1736 WMIC.exe Token: SeSystemtimePrivilege 1736 WMIC.exe Token: SeProfSingleProcessPrivilege 1736 WMIC.exe Token: SeIncBasePriorityPrivilege 1736 WMIC.exe Token: SeCreatePagefilePrivilege 1736 WMIC.exe Token: SeBackupPrivilege 1736 WMIC.exe Token: SeRestorePrivilege 1736 WMIC.exe Token: SeShutdownPrivilege 1736 WMIC.exe Token: SeDebugPrivilege 1736 WMIC.exe Token: SeSystemEnvironmentPrivilege 1736 WMIC.exe Token: SeRemoteShutdownPrivilege 1736 WMIC.exe Token: SeUndockPrivilege 1736 WMIC.exe Token: SeManageVolumePrivilege 1736 WMIC.exe Token: 33 1736 WMIC.exe Token: 34 1736 WMIC.exe Token: 35 1736 WMIC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Memo.pifpid process 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Memo.pifpid process 2692 Memo.pif 2692 Memo.pif 2692 Memo.pif -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.execmd.exeMemo.pifcmd.execmd.exedescription pid process target process PID 3048 wrote to memory of 2920 3048 9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe cmd.exe PID 3048 wrote to memory of 2920 3048 9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe cmd.exe PID 3048 wrote to memory of 2920 3048 9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe cmd.exe PID 3048 wrote to memory of 2920 3048 9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe cmd.exe PID 2920 wrote to memory of 2940 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2940 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2940 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2940 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2524 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2524 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2524 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2524 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2620 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2620 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2620 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2620 2920 cmd.exe tasklist.exe PID 2920 wrote to memory of 2672 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2672 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2672 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2672 2920 cmd.exe findstr.exe PID 2920 wrote to memory of 2648 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2648 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2648 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2648 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2520 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2520 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2520 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2520 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2316 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2316 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2316 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2316 2920 cmd.exe cmd.exe PID 2920 wrote to memory of 2692 2920 cmd.exe Memo.pif PID 2920 wrote to memory of 2692 2920 cmd.exe Memo.pif PID 2920 wrote to memory of 2692 2920 cmd.exe Memo.pif PID 2920 wrote to memory of 2692 2920 cmd.exe Memo.pif PID 2920 wrote to memory of 2428 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2428 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2428 2920 cmd.exe PING.EXE PID 2920 wrote to memory of 2428 2920 cmd.exe PING.EXE PID 2692 wrote to memory of 2324 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2324 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2324 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2324 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2480 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2480 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2480 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2480 2692 Memo.pif cmd.exe PID 2480 wrote to memory of 2032 2480 cmd.exe schtasks.exe PID 2480 wrote to memory of 2032 2480 cmd.exe schtasks.exe PID 2480 wrote to memory of 2032 2480 cmd.exe schtasks.exe PID 2480 wrote to memory of 2032 2480 cmd.exe schtasks.exe PID 2692 wrote to memory of 2184 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2184 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2184 2692 Memo.pif cmd.exe PID 2692 wrote to memory of 2184 2692 Memo.pif cmd.exe PID 2184 wrote to memory of 1736 2184 cmd.exe WMIC.exe PID 2184 wrote to memory of 1736 2184 cmd.exe WMIC.exe PID 2184 wrote to memory of 1736 2184 cmd.exe WMIC.exe PID 2184 wrote to memory of 1736 2184 cmd.exe WMIC.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe"C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k move Azerbaijan Azerbaijan.bat & Azerbaijan.bat & exit3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2940 -
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵PID:2524
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2620 -
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵PID:2672
-
C:\Windows\SysWOW64\cmd.execmd /c md 11094⤵PID:2648
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Ap + Friend + County + Laws + Plant 1109\Memo.pif4⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Bring 1109\g4⤵PID:2316
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif1109\Memo.pif 1109\g4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value5⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736 -
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
PID:2428 -
C:\Windows\SysWOW64\cmd.execmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & echo URL="C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & exit2⤵
- Drops startup file
PID:2324 -
C:\Windows\SysWOW64\cmd.execmd /c schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F2⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F3⤵
- Creates scheduled task(s)
PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
259KB
MD5a745de26cccd7229f9b3083e0e657c51
SHA1ee6792f27d4d5e07f0d41dbd95b0fec772a94abf
SHA25661e6fb53b7c6b26fdfbee29d63bb36c8dd33ed7fb8ed97ca488d107fbc1ba3c3
SHA5129f1701d197b8e0fb1cd929404bfd9440c7ba5c724493a9a4831d9a885d1b6b169b67f344e73facefe18a753ebe22d78c61ea551a4820b7fb471d4b6670d9cc00
-
Filesize
10KB
MD544c71397920468dddf7bb1dc8933259f
SHA1fdf205c1c85f3b59dc4cf66523172fa3f37efce8
SHA25675978ba45715cad18f1dc9acc0eec4a1e6194cda6cfcb44daaeb851be665f52e
SHA512bf8b7e54ae65e4691a7981d6af792797be90bd55554f3f3d9316d0993e421a426046ced50cc91eac0bedaadbc315326201da640190192c1d6ff2d50a3c32369a
-
Filesize
878KB
MD5b833ca1c2478a60371622ef394d6867d
SHA14278d7af0744ed090c541563cbc2792988d00cd6
SHA256cd82e9442c7643b70b267a68f2bbe271298e7474b8310cd50e4b6e586b7d9f44
SHA512973dac96f9ecdf43b2bee02ffbc06583375c3fa6d2abe3541e8bb3697a6bee49f824954abb37b3385ddaf2c3447d8cea83e063349a8d5971ae0908f5430cfb0a
-
Filesize
206KB
MD523bfb44f90ecf7e147b21aeb638be0e8
SHA10764403645568683a776ef34bf4eb7c7f8775e6e
SHA25670c40c9ca3ccfe1176875a073e911e8deb3e015b6ef2fd0051223a335dd76033
SHA512d8e8caccff81bee0f30b2c12c40a976b9d1df94c50208647959bce2ea3dd4a2989ba4bec0918a0ff8a9456f5dad217acfb03b46f3c97eebb7139ff9760e29278
-
Filesize
156KB
MD58a0bdcea077716b3eefce44a2de444ab
SHA13724020a71d0f9cc13e5f7bd4d079c92fdb01bed
SHA256f70978891348d7b742c8012d05be109c5d93e05207dd0ac4d16484e496973552
SHA5125ea039830291f78baabc13e00cae55532cf4aa77aca03955fb080e7da1b79f55334b22198238e85f090c3f76898cacf3a476704acd53672181d349d7a624cca7
-
Filesize
284KB
MD5cadb4ef1a35122c6bff9f2e1774ebbe9
SHA1b711c1429a69a8922da301606b2e19648a0fe537
SHA256c522ac485cfbdb75bb3f35bfe62263fb17cb64464e111d2e287b9084a85ff670
SHA5126000f5511240431a9e320c5e2351a8518642786fe1aa0a59a5d523eb7899b88bf6e3ab5629d6cbf34866974b41511fdc55a83923c56da0caa92f20f360641f7e
-
Filesize
19KB
MD529d98b6cbc770d518dfbf5fd2f4fa178
SHA11d030e6fd228895d071c28f8e5f70676646f3734
SHA2567d270a6900ef6385133b30e462bd157aa925543abaaf248cffe263fae0c33f4b
SHA5128e3e890523a31c0ab4ac80400215fdd860dacedd45baf25e02a61b3f52b7fad8424c632ce2996f6f0a6e69f8a29db838febdab7636e7204b50790ae0adf0e0f6
-
Filesize
924KB
MD5848164d084384c49937f99d5b894253e
SHA13055ef803eeec4f175ebf120f94125717ee12444
SHA256f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a