Analysis
-
max time kernel
145s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 06:06
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240705-en
General
-
Target
MalwareBazaar.exe
-
Size
677KB
-
MD5
6c63cd4270013e1d03abde4d6acf18fe
-
SHA1
70a81b1b6d7b773d48e6293d23cb7858d69d4a7b
-
SHA256
94f29a8158717b4c268b41e8eb72bc7301f2d4578dc41a06deabe79ff8e767dd
-
SHA512
e05335e284dc5941fe678f24307ea08d5a5a12ce769cc1be1541cc544f3eac99970f6757e0dd93b687569f165e4bb022965be87fc3041095d718abd9f904d0d8
-
SSDEEP
12288:BJbDWx2PQf9YGtFgiscZBpOf9DtMu461PxlWGsxthsQYG:BFawMZ/g0p0su163HyQYG
Malware Config
Extracted
formbook
4.1
h209
sbtstuff.site
omlyes.com
movershifting.com
gearballer.com
oketoto.pro
myringleader.com
lrcjc750s.xyz
ata2024.xyz
password-manager-89409.bond
aiassistanthub.net
changvolt.cfd
netino.site
wear-wale.com
omnipresenceagency.com
huangguan.ooo
propersonnelmedia.com
9332952.com
k3s.support
ciytrw.xyz
cb095.pro
royalreshortbooking.xyz
studio29photography.com
62472.xyz
offerseshop.com
xn--mjru74buk5boca.store
jzzkjvaz.com
qzbt7s.com
atsinvest.com
goldengoosemultiplier.com
investing-courses-66663.bond
blueflamenews.com
xn--72cb0bab2pc6b3j3b.com
damtv24.xyz
ya1w.top
margueritemeilleure.com
zinittech.com
testingdomain.xyz
zakenlatyn.xyz
jungdofire.com
jackpfenninger.com
comfyquiltsbysusan.com
weststarconstructions.com
accrevcenglobal.com
ok9km1.fun
cxbqchm.life
review-with-hossain.com
webmedianews.com
visioncaretutor.com
r9x4g.xyz
nicorinehart.com
airhead.icu
genesisproj.online
hebatduta77.com
xiaopangonsol.com
cilynder.com
nestnerd.xyz
95476.photos
wearepartisan.rocks
snowshop4.com
podoc.fun
psicologaceciliabarros.com
klassens.info
therocketlobsters.com
world-palace.com
antibirdnetservices.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2744-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2744-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2660-26-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2808 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exemsiexec.exedescription pid process target process PID 2068 set thread context of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2744 set thread context of 1144 2744 MalwareBazaar.exe Explorer.EXE PID 2744 set thread context of 1144 2744 MalwareBazaar.exe Explorer.EXE PID 2660 set thread context of 1144 2660 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
MalwareBazaar.exepowershell.exemsiexec.exepid process 2744 MalwareBazaar.exe 2744 MalwareBazaar.exe 1216 powershell.exe 2744 MalwareBazaar.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe 2660 msiexec.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
MalwareBazaar.exemsiexec.exepid process 2744 MalwareBazaar.exe 2744 MalwareBazaar.exe 2744 MalwareBazaar.exe 2744 MalwareBazaar.exe 2660 msiexec.exe 2660 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MalwareBazaar.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2744 MalwareBazaar.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 2660 msiexec.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exemsiexec.exedescription pid process target process PID 2068 wrote to memory of 1216 2068 MalwareBazaar.exe powershell.exe PID 2068 wrote to memory of 1216 2068 MalwareBazaar.exe powershell.exe PID 2068 wrote to memory of 1216 2068 MalwareBazaar.exe powershell.exe PID 2068 wrote to memory of 1216 2068 MalwareBazaar.exe powershell.exe PID 2068 wrote to memory of 2516 2068 MalwareBazaar.exe schtasks.exe PID 2068 wrote to memory of 2516 2068 MalwareBazaar.exe schtasks.exe PID 2068 wrote to memory of 2516 2068 MalwareBazaar.exe schtasks.exe PID 2068 wrote to memory of 2516 2068 MalwareBazaar.exe schtasks.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2068 wrote to memory of 2744 2068 MalwareBazaar.exe MalwareBazaar.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2744 wrote to memory of 2660 2744 MalwareBazaar.exe msiexec.exe PID 2660 wrote to memory of 2808 2660 msiexec.exe cmd.exe PID 2660 wrote to memory of 2808 2660 msiexec.exe cmd.exe PID 2660 wrote to memory of 2808 2660 msiexec.exe cmd.exe PID 2660 wrote to memory of 2808 2660 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\emFutmUjEJiXFv.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emFutmUjEJiXFv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF354.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2516 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"5⤵
- Deletes itself
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ec3c7ebc6eeae74d75bf3b84513216dc
SHA1df3cf7350e1d386c46a768ff5c3c41899c5abfb3
SHA256cf3bffed0f3d19088cb35a36d6fcc4682398d6c3fb0ea43b8de5001850855285
SHA5125d826ed33a344fc8da864eed8246bdad81cf848cebb165d919418f9d9fec8c302fe22f8b651b878623549a92887ff79600f880d03d6cee8cc128218f69156d46