4f0243930267af37170243d384fc111b2ca3da9a3497cb7862485d7b62d71607

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBazaar.exe
Size

668KB
MD5

5cc4c28bcb6afcd6f0cbf9fe72e62905
SHA1

a01adb1d5428cb9c8ed9204753d5769b815c1503
SHA256

4f0243930267af37170243d384fc111b2ca3da9a3497cb7862485d7b62d71607
SHA512

6849a43d9ad133b050ca5087bc94ced28e88c820e6303c3241a707052129a84344437ef324c5905de83e6f352492b4b565c2bc10c3a4f19229816d90a20a5c00
SSDEEP

12288:bCc0RBN2iN/m2j1gQs5nx/FUkmPxYwlxFJHxj/14GBw:bCc0RBN1FjJgxrF7CxrxFJRx

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2900	powershell.exe
2540	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2692	MalwareBazaar.exe
2540	powershell.exe
2900	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	MalwareBazaar.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2900	2692	MalwareBazaar.exe	30
PID 2692 wrote to memory of 2900	2692	MalwareBazaar.exe	30
PID 2692 wrote to memory of 2900	2692	MalwareBazaar.exe	30
PID 2692 wrote to memory of 2900	2692	MalwareBazaar.exe	30
PID 2692 wrote to memory of 2540	2692	MalwareBazaar.exe	32
PID 2692 wrote to memory of 2540	2692	MalwareBazaar.exe	32
PID 2692 wrote to memory of 2540	2692	MalwareBazaar.exe	32
PID 2692 wrote to memory of 2540	2692	MalwareBazaar.exe	32
PID 2692 wrote to memory of 2516	2692	MalwareBazaar.exe	34
PID 2692 wrote to memory of 2516	2692	MalwareBazaar.exe	34
PID 2692 wrote to memory of 2516	2692	MalwareBazaar.exe	34
PID 2692 wrote to memory of 2516	2692	MalwareBazaar.exe	34
PID 2692 wrote to memory of 1484	2692	MalwareBazaar.exe	36
PID 2692 wrote to memory of 1484	2692	MalwareBazaar.exe	36
PID 2692 wrote to memory of 1484	2692	MalwareBazaar.exe	36
PID 2692 wrote to memory of 1484	2692	MalwareBazaar.exe	36
PID 2692 wrote to memory of 1500	2692	MalwareBazaar.exe	37
PID 2692 wrote to memory of 1500	2692	MalwareBazaar.exe	37
PID 2692 wrote to memory of 1500	2692	MalwareBazaar.exe	37
PID 2692 wrote to memory of 1500	2692	MalwareBazaar.exe	37
PID 2692 wrote to memory of 2060	2692	MalwareBazaar.exe	38
PID 2692 wrote to memory of 2060	2692	MalwareBazaar.exe	38
PID 2692 wrote to memory of 2060	2692	MalwareBazaar.exe	38
PID 2692 wrote to memory of 2060	2692	MalwareBazaar.exe	38
PID 2692 wrote to memory of 2408	2692	MalwareBazaar.exe	39
PID 2692 wrote to memory of 2408	2692	MalwareBazaar.exe	39
PID 2692 wrote to memory of 2408	2692	MalwareBazaar.exe	39
PID 2692 wrote to memory of 2408	2692	MalwareBazaar.exe	39
PID 2692 wrote to memory of 2240	2692	MalwareBazaar.exe	40
PID 2692 wrote to memory of 2240	2692	MalwareBazaar.exe	40
PID 2692 wrote to memory of 2240	2692	MalwareBazaar.exe	40
PID 2692 wrote to memory of 2240	2692	MalwareBazaar.exe	40

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FseiVX.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FseiVX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9EDE.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
  "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
  2⤵
  PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9EDE.tmp

Filesize
1KB

MD5
c8f139c209fab9c913e5145e5e6813c2

SHA1
3403e45a7cb442e4417666ae9b021b2522826d8d

SHA256
fe57c4c64c9c583e205b7eadbfdba3554780f3feddeb8bbb2119859b012cfdd5

SHA512
6567e8cb47c9b37ea3abf4ef7d367afba1c80b060be4c42b3ea4011b6a9c8bdce184428d756820f49cf3bd4ae29c810294f715ce4fd21deb520b4a380a61d476

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
52845c302c44a59faa641eed461600c6

SHA1
5812c760e0b47c8b6356c0746ff693d561dfa2ba

SHA256
08f5284f3b4b66bd212804f3fb81c04a761ba065574abdda454ead4e6a90002b

SHA512
d410e02f33653866d29649232f69670e5e515c8db24e73eac7d50364246b6f162452f526abbda4e63c80fa2713b7ebdf323d6e24731f0f508b8cd10bc9bcf267

Download Submit
memory/2692-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2692-1-0x0000000000280000-0x000000000032E000-memory.dmp

Filesize
696KB

Download
memory/2692-2-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/2692-3-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2692-4-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2692-5-0x0000000001DF0000-0x0000000001DFE000-memory.dmp

Filesize
56KB

Download
memory/2692-6-0x00000000042B0000-0x0000000004312000-memory.dmp

Filesize
392KB

Download
memory/2692-7-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/2692-20-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download