Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-07-2024 11:11

General

  • Target

    MalwareBazaar.exe

  • Size

    387KB

  • MD5

    06e45d2db3c52517fc7139b3b32a4742

  • SHA1

    602ab4e85c1506af02d51e144298bac3aea331ca

  • SHA256

    9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f

  • SHA512

    32e1131c14136721d872ea13736fe7041d8d7e09a1efac363a4bc1d29a9bcd4fcfc8e523cf689386a7e8fe67100194211a1ea9934f7fde5f241df77adcdb61bd

  • SSDEEP

    12288:3GqS6hqE06uAyNOcSN6dJjfJ1mPaxm5Bj3O9X:3GqS6hb0Kd4FBcixmBje9

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
    "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Metabolizable=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Emptyhanded.Sla139';$Kumpan=$Metabolizable.SubString(7195,3);.$Kumpan($Metabolizable)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:2384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Emptyhanded.Sla139

    Filesize

    65KB

    MD5

    67cb075314762a89035c6b2b15c68f00

    SHA1

    382134aa018f620cdfbab89a67ae7c10b22e8547

    SHA256

    a853d35e1301ceef0526d96852cf8ed766c3d9f04bc5a7b49522b02d1b4302ea

    SHA512

    5677a3b68f751f9cb252d45aa35f4609fe0f81c734b3ed44ddb2acd8e017c371027841892f61a7aa71debe950b2b7ea05ecdbfe577130c69a8d74c74cbaf4190

  • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Varmevrkernes160.Ove

    Filesize

    325KB

    MD5

    b9207704502bf9bc8956ea19f761c559

    SHA1

    dee462bb9bff33881c21ce2f8615a222cbb28aa2

    SHA256

    ea7565fe3b1b2fa90145b41406c2b175846785ba1be2d0248030dedbdd4aec6f

    SHA512

    cba66f601051aaee865574f94996c480873017195c122d750f7355a777359ec0ba05b5f786c88753c7e3b87a01daeae82edba1d3a799e09e28f7ef8bc1f6d704

  • memory/1288-46-0x0000000001820000-0x0000000005949000-memory.dmp

    Filesize

    65.2MB

  • memory/1288-45-0x00000000007B0000-0x0000000001812000-memory.dmp

    Filesize

    16.4MB

  • memory/2816-18-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-15-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-11-0x0000000073801000-0x0000000073802000-memory.dmp

    Filesize

    4KB

  • memory/2816-14-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-20-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-21-0x00000000067A0000-0x000000000A8C9000-memory.dmp

    Filesize

    65.2MB

  • memory/2816-22-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-13-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB

  • memory/2816-12-0x0000000073800000-0x0000000073DAB000-memory.dmp

    Filesize

    5.7MB