Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
17-07-2024 17:01
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
677KB
-
MD5
978af787e7c03fa3cb90bc9cecf33862
-
SHA1
c7748a8f4b34af3a8e76e1583ac14cd95c32ac9e
-
SHA256
2a346621e42f809c9cbfaf01bd2baa682838165f5e24c7c945f855671fc457e4
-
SHA512
943269d4678ca4de5f45ca891b3eecdbd6c5835c53055c246bfd918beaea6f09c4c0a2b263ec687a7440a4d0b492a4089aa168c6d80f5d36b89a4f9669d71ca6
-
SSDEEP
12288:bUME/4AgZ9n0Ao3NX0pQm0FSD8GBkxb3fOOE7MxIpNu4jOtM/u61IVA:FE/4AgX0AL108AGBE3fu1jOeW61IVA
Malware Config
Extracted
formbook
4.1
v15n
dyahwoahjuk.store
toysstorm.com
y7rak9.com
2222233p6.shop
betbox2341.com
visualvarta.com
nijssenadventures.com
main-12.site
leng4d.net
kurainu.xyz
hatesa.xyz
culturamosaica.com
supermallify.store
gigboard.app
rxforgive.com
ameliestones.com
kapalwin.live
tier.credit
sobol-ksa.com
faredeal.online
226b.xyz
talktohannaford500.shop
mxrkpkngishbdss.xyz
mirotcg.info
turbo3club.site
hjnd28t010cop.cyou
marveloustep.shop
syedlatief.com
comfortableleather.com
alltradescortland.com
dnwgt80508yoec8pzq.top
kedai168ef.com
gelgoodlife.com
nxtskey.com
milliedevine.store
wordcraftart.fun
mpo525.monster
bt365851.com
dogeversetoken.net
boostgrowmode.com
dacapital.net
project21il.com
go4stores.com
brunoduarte.online
sexgodmasterclass.com
wuhey.shop
jdginl892e.xyz
agenkilat-official.space
hacks.digital
suv.xyz
fwbsmg.life
vicmvm649n.top
wbahdfw.icu
creativelyloud.com
merrycleanteam.com
solar-systems-panels-58747.bond
rotaryclubofmukono.com
bethanyumcnola.info
breezafan.com
ny-robotictoys.com
lawyers-br-pt-9390663.fyi
neurasaudi.com
dgccb.com
sayuri-walk.com
gtur.top
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1256-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1256-15-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1256-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4392-24-0x0000000001260000-0x000000000128F000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exeipconfig.exedescription pid process target process PID 5024 set thread context of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 1256 set thread context of 3412 1256 MalwareBazaar.exe Explorer.EXE PID 1256 set thread context of 3412 1256 MalwareBazaar.exe Explorer.EXE PID 4392 set thread context of 3412 4392 ipconfig.exe Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4392 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
MalwareBazaar.exeipconfig.exepid process 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe 4392 ipconfig.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MalwareBazaar.exeipconfig.exepid process 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 1256 MalwareBazaar.exe 4392 ipconfig.exe 4392 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MalwareBazaar.exeipconfig.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1256 MalwareBazaar.exe Token: SeDebugPrivilege 4392 ipconfig.exe Token: SeShutdownPrivilege 3412 Explorer.EXE Token: SeCreatePagefilePrivilege 3412 Explorer.EXE Token: SeShutdownPrivilege 3412 Explorer.EXE Token: SeCreatePagefilePrivilege 3412 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3412 Explorer.EXE 3412 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3412 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
MalwareBazaar.exeExplorer.EXEipconfig.exedescription pid process target process PID 5024 wrote to memory of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 5024 wrote to memory of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 5024 wrote to memory of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 5024 wrote to memory of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 5024 wrote to memory of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 5024 wrote to memory of 1256 5024 MalwareBazaar.exe MalwareBazaar.exe PID 3412 wrote to memory of 4392 3412 Explorer.EXE ipconfig.exe PID 3412 wrote to memory of 4392 3412 Explorer.EXE ipconfig.exe PID 3412 wrote to memory of 4392 3412 Explorer.EXE ipconfig.exe PID 4392 wrote to memory of 3984 4392 ipconfig.exe cmd.exe PID 4392 wrote to memory of 3984 4392 ipconfig.exe cmd.exe PID 4392 wrote to memory of 3984 4392 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1256 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵PID:3984