Resubmissions

12-04-2024 15:32

240412-sys2eabf59 10

21-02-2024 03:49

240221-edjeksba2x 10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-04-2024 15:32

General

  • Target

    9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe

  • Size

    1.0MB

  • MD5

    4334e838a1ad1e35a533d8ff6d55ea3d

  • SHA1

    cb617e4af09ee90e8918fb7488337a935750a318

  • SHA256

    9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88

  • SHA512

    0e107f77986171d13358eb780fbb3c243f1f4afbbfe5f615172e15de2bc1948932b82e592abedb03262444c81ebc86e1e2bfe7fffb3f964289a31c2f5e863dff

  • SSDEEP

    24576:0z28lByb3DFSo0hs6vZ0MZ0ZvJPqljO35FhAJacjuFlewy:0K8vommMtZO35FoQm

Score
10/10

Malware Config

Signatures

  • BunnyLoader

    BunnyLoader is a loader family written in C++.

  • Detect BunnyLoader 5 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
        "C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4360
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k move Azerbaijan Azerbaijan.bat & Azerbaijan.bat & exit
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3096
          • C:\Windows\SysWOW64\tasklist.exe
            tasklist
            4⤵
            • Enumerates processes with tasklist
            • Suspicious use of AdjustPrivilegeToken
            PID:4028
          • C:\Windows\SysWOW64\findstr.exe
            findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
            4⤵
              PID:2296
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:4892
            • C:\Windows\SysWOW64\findstr.exe
              findstr /I "wrsa.exe opssvc.exe"
              4⤵
                PID:1796
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c md 1131
                4⤵
                  PID:696
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c copy /b Ap + Friend + County + Laws + Plant 1131\Memo.pif
                  4⤵
                    PID:928
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c copy /b Bring 1131\g
                    4⤵
                      PID:3812
                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif
                      1131\Memo.pif 1131\g
                      4⤵
                      • Suspicious use of NtCreateUserProcessOtherParentProcess
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2216
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1660
                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                          wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
                          6⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:652
                    • C:\Windows\SysWOW64\PING.EXE
                      ping -n 5 localhost
                      4⤵
                      • Runs ping.exe
                      PID:1740
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & echo URL="C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & exit
                  2⤵
                  • Drops startup file
                  PID:2312
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1672
                  • C:\Windows\SysWOW64\schtasks.exe
                    schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
                    3⤵
                    • Creates scheduled task(s)
                    PID:1540
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3836,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:8
                1⤵
                  PID:4620
                • C:\Windows\system32\wscript.EXE
                  C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js"
                  1⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:1216
                  • C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif
                    "C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif" "C:\Users\Admin\AppData\Local\MindWave Technologies LLC\Y"
                    2⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    PID:5076

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js

                  Filesize

                  186B

                  MD5

                  9e4fea19021e58c034eb119400077790

                  SHA1

                  b2a08bf0392273c044ce889f4091260822bf8f7c

                  SHA256

                  585d69bad9df943444bc2b787af11a0d4641a6a9a50bc08d937eebad986498c3

                  SHA512

                  6e008662340d43cfec8184c7e4f5493b15318b73eb46ec1a0da0d0501933394ed9db5f706845b097bbabe10a6f2742a2d70deb65a16e1fa9df742cc2d09d7aee

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif

                  Filesize

                  924KB

                  MD5

                  848164d084384c49937f99d5b894253e

                  SHA1

                  3055ef803eeec4f175ebf120f94125717ee12444

                  SHA256

                  f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

                  SHA512

                  aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ap

                  Filesize

                  259KB

                  MD5

                  a745de26cccd7229f9b3083e0e657c51

                  SHA1

                  ee6792f27d4d5e07f0d41dbd95b0fec772a94abf

                  SHA256

                  61e6fb53b7c6b26fdfbee29d63bb36c8dd33ed7fb8ed97ca488d107fbc1ba3c3

                  SHA512

                  9f1701d197b8e0fb1cd929404bfd9440c7ba5c724493a9a4831d9a885d1b6b169b67f344e73facefe18a753ebe22d78c61ea551a4820b7fb471d4b6670d9cc00

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Azerbaijan

                  Filesize

                  10KB

                  MD5

                  44c71397920468dddf7bb1dc8933259f

                  SHA1

                  fdf205c1c85f3b59dc4cf66523172fa3f37efce8

                  SHA256

                  75978ba45715cad18f1dc9acc0eec4a1e6194cda6cfcb44daaeb851be665f52e

                  SHA512

                  bf8b7e54ae65e4691a7981d6af792797be90bd55554f3f3d9316d0993e421a426046ced50cc91eac0bedaadbc315326201da640190192c1d6ff2d50a3c32369a

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bring

                  Filesize

                  878KB

                  MD5

                  b833ca1c2478a60371622ef394d6867d

                  SHA1

                  4278d7af0744ed090c541563cbc2792988d00cd6

                  SHA256

                  cd82e9442c7643b70b267a68f2bbe271298e7474b8310cd50e4b6e586b7d9f44

                  SHA512

                  973dac96f9ecdf43b2bee02ffbc06583375c3fa6d2abe3541e8bb3697a6bee49f824954abb37b3385ddaf2c3447d8cea83e063349a8d5971ae0908f5430cfb0a

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\County

                  Filesize

                  206KB

                  MD5

                  23bfb44f90ecf7e147b21aeb638be0e8

                  SHA1

                  0764403645568683a776ef34bf4eb7c7f8775e6e

                  SHA256

                  70c40c9ca3ccfe1176875a073e911e8deb3e015b6ef2fd0051223a335dd76033

                  SHA512

                  d8e8caccff81bee0f30b2c12c40a976b9d1df94c50208647959bce2ea3dd4a2989ba4bec0918a0ff8a9456f5dad217acfb03b46f3c97eebb7139ff9760e29278

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Friend

                  Filesize

                  156KB

                  MD5

                  8a0bdcea077716b3eefce44a2de444ab

                  SHA1

                  3724020a71d0f9cc13e5f7bd4d079c92fdb01bed

                  SHA256

                  f70978891348d7b742c8012d05be109c5d93e05207dd0ac4d16484e496973552

                  SHA512

                  5ea039830291f78baabc13e00cae55532cf4aa77aca03955fb080e7da1b79f55334b22198238e85f090c3f76898cacf3a476704acd53672181d349d7a624cca7

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Laws

                  Filesize

                  284KB

                  MD5

                  cadb4ef1a35122c6bff9f2e1774ebbe9

                  SHA1

                  b711c1429a69a8922da301606b2e19648a0fe537

                  SHA256

                  c522ac485cfbdb75bb3f35bfe62263fb17cb64464e111d2e287b9084a85ff670

                  SHA512

                  6000f5511240431a9e320c5e2351a8518642786fe1aa0a59a5d523eb7899b88bf6e3ab5629d6cbf34866974b41511fdc55a83923c56da0caa92f20f360641f7e

                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plant

                  Filesize

                  19KB

                  MD5

                  29d98b6cbc770d518dfbf5fd2f4fa178

                  SHA1

                  1d030e6fd228895d071c28f8e5f70676646f3734

                  SHA256

                  7d270a6900ef6385133b30e462bd157aa925543abaaf248cffe263fae0c33f4b

                  SHA512

                  8e3e890523a31c0ab4ac80400215fdd860dacedd45baf25e02a61b3f52b7fad8424c632ce2996f6f0a6e69f8a29db838febdab7636e7204b50790ae0adf0e0f6

                • memory/2216-27-0x0000000077401000-0x0000000077521000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2216-35-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-36-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-37-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-38-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-39-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-40-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-41-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-43-0x0000000004B40000-0x0000000004B9D000-memory.dmp

                  Filesize

                  372KB

                • memory/2216-34-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

                  Filesize

                  4KB