Resubmissions

12-04-2024 15:32

240412-sys2eabf59 10

21-02-2024 03:49

240221-edjeksba2x 10

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    12-04-2024 15:32

General

  • Target

    9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe

  • Size

    1.0MB

  • MD5

    4334e838a1ad1e35a533d8ff6d55ea3d

  • SHA1

    cb617e4af09ee90e8918fb7488337a935750a318

  • SHA256

    9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88

  • SHA512

    0e107f77986171d13358eb780fbb3c243f1f4afbbfe5f615172e15de2bc1948932b82e592abedb03262444c81ebc86e1e2bfe7fffb3f964289a31c2f5e863dff

  • SSDEEP

    24576:0z28lByb3DFSo0hs6vZ0MZ0ZvJPqljO35FhAJacjuFlewy:0K8vommMtZO35FoQm

Score
10/10

Malware Config

Signatures

  • BunnyLoader

    BunnyLoader is a loader family written in C++.

  • Detect BunnyLoader 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1368
      • C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
        "C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3048
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Azerbaijan Azerbaijan.bat & Azerbaijan.bat & exit
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2920
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
              PID:2524
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:2620
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "wrsa.exe opssvc.exe"
              4⤵
                PID:2672
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 1109
                4⤵
                  PID:2648
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Ap + Friend + County + Laws + Plant 1109\Memo.pif
                  4⤵
                    PID:2520
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Bring 1109\g
                    4⤵
                      PID:2316
                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif
                      1109\Memo.pif 1109\g
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2692
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2184
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
                          6⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1736
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 localhost
                      4⤵
                      • Runs ping.exe
                      PID:2428
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & echo URL="C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & exit
                  2⤵
                  • Drops startup file
                  PID:2324
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2480
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
                    3⤵
                    • Creates scheduled task(s)
                    PID:2032

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ap

                Filesize

                259KB

                MD5

                a745de26cccd7229f9b3083e0e657c51

                SHA1

                ee6792f27d4d5e07f0d41dbd95b0fec772a94abf

                SHA256

                61e6fb53b7c6b26fdfbee29d63bb36c8dd33ed7fb8ed97ca488d107fbc1ba3c3

                SHA512

                9f1701d197b8e0fb1cd929404bfd9440c7ba5c724493a9a4831d9a885d1b6b169b67f344e73facefe18a753ebe22d78c61ea551a4820b7fb471d4b6670d9cc00

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Azerbaijan

                Filesize

                10KB

                MD5

                44c71397920468dddf7bb1dc8933259f

                SHA1

                fdf205c1c85f3b59dc4cf66523172fa3f37efce8

                SHA256

                75978ba45715cad18f1dc9acc0eec4a1e6194cda6cfcb44daaeb851be665f52e

                SHA512

                bf8b7e54ae65e4691a7981d6af792797be90bd55554f3f3d9316d0993e421a426046ced50cc91eac0bedaadbc315326201da640190192c1d6ff2d50a3c32369a

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bring

                Filesize

                878KB

                MD5

                b833ca1c2478a60371622ef394d6867d

                SHA1

                4278d7af0744ed090c541563cbc2792988d00cd6

                SHA256

                cd82e9442c7643b70b267a68f2bbe271298e7474b8310cd50e4b6e586b7d9f44

                SHA512

                973dac96f9ecdf43b2bee02ffbc06583375c3fa6d2abe3541e8bb3697a6bee49f824954abb37b3385ddaf2c3447d8cea83e063349a8d5971ae0908f5430cfb0a

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\County

                Filesize

                206KB

                MD5

                23bfb44f90ecf7e147b21aeb638be0e8

                SHA1

                0764403645568683a776ef34bf4eb7c7f8775e6e

                SHA256

                70c40c9ca3ccfe1176875a073e911e8deb3e015b6ef2fd0051223a335dd76033

                SHA512

                d8e8caccff81bee0f30b2c12c40a976b9d1df94c50208647959bce2ea3dd4a2989ba4bec0918a0ff8a9456f5dad217acfb03b46f3c97eebb7139ff9760e29278

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Friend

                Filesize

                156KB

                MD5

                8a0bdcea077716b3eefce44a2de444ab

                SHA1

                3724020a71d0f9cc13e5f7bd4d079c92fdb01bed

                SHA256

                f70978891348d7b742c8012d05be109c5d93e05207dd0ac4d16484e496973552

                SHA512

                5ea039830291f78baabc13e00cae55532cf4aa77aca03955fb080e7da1b79f55334b22198238e85f090c3f76898cacf3a476704acd53672181d349d7a624cca7

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Laws

                Filesize

                284KB

                MD5

                cadb4ef1a35122c6bff9f2e1774ebbe9

                SHA1

                b711c1429a69a8922da301606b2e19648a0fe537

                SHA256

                c522ac485cfbdb75bb3f35bfe62263fb17cb64464e111d2e287b9084a85ff670

                SHA512

                6000f5511240431a9e320c5e2351a8518642786fe1aa0a59a5d523eb7899b88bf6e3ab5629d6cbf34866974b41511fdc55a83923c56da0caa92f20f360641f7e

              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plant

                Filesize

                19KB

                MD5

                29d98b6cbc770d518dfbf5fd2f4fa178

                SHA1

                1d030e6fd228895d071c28f8e5f70676646f3734

                SHA256

                7d270a6900ef6385133b30e462bd157aa925543abaaf248cffe263fae0c33f4b

                SHA512

                8e3e890523a31c0ab4ac80400215fdd860dacedd45baf25e02a61b3f52b7fad8424c632ce2996f6f0a6e69f8a29db838febdab7636e7204b50790ae0adf0e0f6

              • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif

                Filesize

                924KB

                MD5

                848164d084384c49937f99d5b894253e

                SHA1

                3055ef803eeec4f175ebf120f94125717ee12444

                SHA256

                f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                SHA512

                aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

              • memory/2692-28-0x0000000077E00000-0x0000000077ED6000-memory.dmp

                Filesize

                856KB

              • memory/2692-34-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB

              • memory/2692-36-0x0000000000130000-0x0000000000131000-memory.dmp

                Filesize

                4KB

              • memory/2692-37-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB

              • memory/2692-38-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB

              • memory/2692-39-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB

              • memory/2692-40-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB

              • memory/2692-41-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB

              • memory/2692-42-0x0000000003C90000-0x0000000003CED000-memory.dmp

                Filesize

                372KB