Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
09-07-2024 11:21
General
-
Target
MalwareBazaar.exe
-
Size
398KB
-
MD5
b1c35e78f5d588430c4f534479def9f2
-
SHA1
f787dd3327ca04361935f74867f76f16821db99f
-
SHA256
4412e46cdfffa346ea1d4e07b30077ccaa09fe1cbbe6f9965df193f2e063f4b7
-
SHA512
5f78e6794ae313f5ca96c33fe0ecf0c882a18a93caa54bf92823ac42c5c753b6a98d4c77618de2b62cbc9d24e6e500272e4ffa7b25afff20b7e8349fc278a66c
-
SSDEEP
12288:9GkmNVhJhqnfP30YhNia+nv4tQD3W/P19QY:9GkmPh7qfPrsQeD3W/bd
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
UAC bypass 3 TTPs 1 IoCs
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 3 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 15 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Vangede=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Reexpression.Tid';$Spondylotomy=$Vangede.SubString(70479,3);.$Spondylotomy($Vangede)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Ortyginae" /t REG_EXPAND_SZ /d "%Monopolizables% -windowstyle minimized $masturbated=(Get-ItemProperty -Path 'HKCU:\Audiometeret\').Rudolph;%Monopolizables% ($masturbated)"5⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fuiyczanpr"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fuiyczanpr"4⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hovjvslpdznnmf"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hovjvslpdznnmf"4⤵
- Accesses Microsoft Outlook accounts
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\srbbwkwizifrwujzw"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132B
MD51caccddbf121cb45204f0e560285e8f3
SHA15b599e96809ed691ebea4338e1f2cb53a58e633b
SHA2565e9630fae07c9509fe8df9c38d8ef4d03a55057a1cd8d717a115fb0ebca29fe8
SHA51214b1ee6fbcd2070eb970c08673895dc53b4f48567c72f4b60e58b75da7a30e17c77eaddb00d8e49e71c3fe8330a93ec65bd9e1ab09c3b7b198d164fe2353b244
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD5f3cf9e43fc7977c8af0a251a87b79b4a
SHA144b709fd5d0933f4430e4226d04376cf12c5210e
SHA256af11fd5fb7256792c24e545b0f9ce676a71f4ae9b13752bfbc7a02a86302d811
SHA51250926bb7e8e09f6bc1c63b4a818c66d40d167d6fa48d34eace32e2009097dd5bb446c2bae0785059772697a35dfe61f40a80c74f42fe4da3251e7e159b2c8e61
-
Filesize
344KB
MD51a78d0f226d0db154812e61b8cadb4b8
SHA1e76650e32ed8bc1e3d72dde1aa6566ff031e0c6e
SHA25619997e372b58bcd5bacd8b199b1633307f0c89fc3ce7abfd4087ec739742f78e
SHA512b06759e8bfeb73187c5277aaaa9c6489f51a88f42b461ec0775de6741f6b797dc3c2cbb8f6cf79815078a420a26cde9cedd861c4d16ac73a037e2160efc4ec41
-
Filesize
68KB
MD5d89dac6d6bcfb431c31bdf7d21f48fbd
SHA12f55f2b77da6a9078c7bb90fd87b205c9c4cf3b9
SHA256ffeacf6c0a98133600a0f1de25732fb4b22b06af6921edd316e52a6d7837359b
SHA51276eb9025c18fd7661cb72d47c7eda57a45304594e5aea32fe73b1dd94ec9db81753726f83e6d9f82924c3b9295eef4725dbaa7d633963ac8e8e91b7444346070
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
392KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
144KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
43.6MB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
304KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
43.6MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
216KB