Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 11:24
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
400KB
-
MD5
9428d54a4aa6eb66abdca820a8f47d12
-
SHA1
abd2a8b44ee4d5fd4cdb947600f340864dcf254f
-
SHA256
f626d873512895ed8be4ead8d18d4db04bdb19a74a83d44759a45257582a75cd
-
SHA512
14024233434003249a918871e81f10048f13fa2079ce5c0bb78893bfef6621d8daa64031539b2a6b4627019935ea43a8f3de9e56937b5ec8a50af08258653c80
-
SSDEEP
12288:OGnKCJuXGUHTmuGwZyYMggzHm64P5WylOHVqZ:OGjutj/mFZylO1qZ
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Offervilliges = "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\\Tilstransportlvr\\').Directoryet;%Quaternary% ($Funktionslederes)" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
wab.exepid process 2060 wab.exe 2060 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1580 powershell.exe 2060 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1580 set thread context of 2060 1580 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exepid process 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe 1580 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1580 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1580 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
MalwareBazaar.exepowershell.exewab.execmd.exedescription pid process target process PID 2248 wrote to memory of 1580 2248 MalwareBazaar.exe powershell.exe PID 2248 wrote to memory of 1580 2248 MalwareBazaar.exe powershell.exe PID 2248 wrote to memory of 1580 2248 MalwareBazaar.exe powershell.exe PID 2248 wrote to memory of 1580 2248 MalwareBazaar.exe powershell.exe PID 1580 wrote to memory of 2060 1580 powershell.exe wab.exe PID 1580 wrote to memory of 2060 1580 powershell.exe wab.exe PID 1580 wrote to memory of 2060 1580 powershell.exe wab.exe PID 1580 wrote to memory of 2060 1580 powershell.exe wab.exe PID 1580 wrote to memory of 2060 1580 powershell.exe wab.exe PID 1580 wrote to memory of 2060 1580 powershell.exe wab.exe PID 2060 wrote to memory of 2720 2060 wab.exe cmd.exe PID 2060 wrote to memory of 2720 2060 wab.exe cmd.exe PID 2060 wrote to memory of 2720 2060 wab.exe cmd.exe PID 2060 wrote to memory of 2720 2060 wab.exe cmd.exe PID 2720 wrote to memory of 2604 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2604 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2604 2720 cmd.exe reg.exe PID 2720 wrote to memory of 2604 2720 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Chemosensitivity=Get-Content 'C:\Users\Admin\AppData\Roaming\annekskirkers\dommedagens\nonmenial\Rhagadiform199.Udl';$saalbnkes=$Chemosensitivity.SubString(72809,3);.$saalbnkes($Chemosensitivity)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Offervilliges" /t REG_EXPAND_SZ /d "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\Tilstransportlvr\').Directoryet;%Quaternary% ($Funktionslederes)"4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Offervilliges" /t REG_EXPAND_SZ /d "%Quaternary% -windowstyle minimized $Funktionslederes=(Get-ItemProperty -Path 'HKCU:\Tilstransportlvr\').Directoryet;%Quaternary% ($Funktionslederes)"5⤵
- Adds Run key to start application
- Modifies registry key
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5fc2223e92e3b7eb6b306e7489bc9ea76
SHA1a886646121c2d0882b0f69cff28277fea465a431
SHA25686fab35b54a947d4aba1fe2915a69748b51a8ee9cf9791678dcecda609d427af
SHA51298ca788deef3630dbae7146d5377c44cd57a1bda8277a25170a033017f4a8b414e272d6d97e94139e306fed1e28e294a1e08d09d90fa49dc675ba5c9dda7e55e
-
Filesize
342KB
MD5bd2cb39300237694661fcb0686d7aeec
SHA1c912db66db40e04a9436c248d8ee19eaa4e2c5c7
SHA25633deda6aca491470e132ec1feead0d380bd35b792f886a1cd1f1ce29e9b5b21e
SHA51249ecdaa68f3d1502d947faae83da3e24cf2459c6a2576a07dcb14ab0ddc14c76b9d4874d823463e1c4ee4453764cf9c2f2930c3b4ca1513294c003bb8cf21d89