Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 06:20
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
691KB
-
MD5
47a2a7a19ce5697f30aec774d5b7f9b7
-
SHA1
dfa50083c7dd8caabdf1abf9a72cee128c32fe3c
-
SHA256
f8a6d38a7a548a8621059aaaa87265c7c8d164b0f8eac7f6c0f7e4ec201de4a2
-
SHA512
59c08155dce6e69a1d0abb43f0df5711f5dc40707f88e8dd12660092710f142d8b8a2fbf2c19b4f2deb7c637245914038f25bb586ce9e53b9ed6eb62fb072feb
-
SSDEEP
12288:baODWx2PQfDxCP5M90yYgo2HckARGXHn4tOBPb5np2Fna1u4HkR:bxawMDIGiIJ0GXHnaONnp8n2S
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2520-23-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2520-27-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1664-30-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2788 powershell.exe 584 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exewuapp.exedescription pid process target process PID 852 set thread context of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 2520 set thread context of 1256 2520 MalwareBazaar.exe Explorer.EXE PID 2520 set thread context of 1256 2520 MalwareBazaar.exe Explorer.EXE PID 1664 set thread context of 1256 1664 wuapp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
MalwareBazaar.exepowershell.exepowershell.exewuapp.exepid process 2520 MalwareBazaar.exe 2520 MalwareBazaar.exe 584 powershell.exe 2788 powershell.exe 2520 MalwareBazaar.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe 1664 wuapp.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MalwareBazaar.exewuapp.exepid process 2520 MalwareBazaar.exe 2520 MalwareBazaar.exe 2520 MalwareBazaar.exe 2520 MalwareBazaar.exe 1664 wuapp.exe 1664 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
MalwareBazaar.exepowershell.exepowershell.exewuapp.exedescription pid process Token: SeDebugPrivilege 2520 MalwareBazaar.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 1664 wuapp.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
MalwareBazaar.exeExplorer.EXEwuapp.exedescription pid process target process PID 852 wrote to memory of 2788 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 2788 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 2788 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 2788 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 584 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 584 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 584 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 584 852 MalwareBazaar.exe powershell.exe PID 852 wrote to memory of 2668 852 MalwareBazaar.exe schtasks.exe PID 852 wrote to memory of 2668 852 MalwareBazaar.exe schtasks.exe PID 852 wrote to memory of 2668 852 MalwareBazaar.exe schtasks.exe PID 852 wrote to memory of 2668 852 MalwareBazaar.exe schtasks.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 852 wrote to memory of 2520 852 MalwareBazaar.exe MalwareBazaar.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1256 wrote to memory of 1664 1256 Explorer.EXE wuapp.exe PID 1664 wrote to memory of 1448 1664 wuapp.exe cmd.exe PID 1664 wrote to memory of 1448 1664 wuapp.exe cmd.exe PID 1664 wrote to memory of 1448 1664 wuapp.exe cmd.exe PID 1664 wrote to memory of 1448 1664 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDvhFxac.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDvhFxac" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B8.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Deletes itself
PID:1448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bb00c0621750558259d35c7661232d68
SHA11f5c3b541e60354c0a12fa26ad6fbbce904c7e4e
SHA256749da1017a12ec684c96e10226f7b8a5d29723c4d7781e8e7ad6e394feb569bb
SHA512052baee61322d314ce2ba1d8d5f5ed2a2b19a40a35b3baa364fd0ead85e77003b521b012085fff51fbdf00fdd48f831575293ca2b98ad8e5c23c14d80ee542fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5YMRJ9QPQD0EFZK95GS6.temp
Filesize7KB
MD59bd6894a5769bf653b28b9366d365758
SHA179bcb117ce2d859601232f773a81a35f6fdf381e
SHA25696b77083b606d9dad131ae6fbd5d9c0c0b7cb5e99a4d69724c42ff26fdd9d393
SHA512fe5da0d3888fea3e243617af21b7978671de9873e622d7eff10dd29181a9e6cb6fb4819456b4ac4c41a1510d5071a04d4d25b973a3cf832b1cd836dc6437e0c9