Analysis
-
max time kernel
146s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 07:16
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240708-en
General
-
Target
MalwareBazaar.exe
-
Size
677KB
-
MD5
6c63cd4270013e1d03abde4d6acf18fe
-
SHA1
70a81b1b6d7b773d48e6293d23cb7858d69d4a7b
-
SHA256
94f29a8158717b4c268b41e8eb72bc7301f2d4578dc41a06deabe79ff8e767dd
-
SHA512
e05335e284dc5941fe678f24307ea08d5a5a12ce769cc1be1541cc544f3eac99970f6757e0dd93b687569f165e4bb022965be87fc3041095d718abd9f904d0d8
-
SSDEEP
12288:BJbDWx2PQf9YGtFgiscZBpOf9DtMu461PxlWGsxthsQYG:BFawMZ/g0p0su163HyQYG
Malware Config
Extracted
formbook
4.1
h209
sbtstuff.site
omlyes.com
movershifting.com
gearballer.com
oketoto.pro
myringleader.com
lrcjc750s.xyz
ata2024.xyz
password-manager-89409.bond
aiassistanthub.net
changvolt.cfd
netino.site
wear-wale.com
omnipresenceagency.com
huangguan.ooo
propersonnelmedia.com
9332952.com
k3s.support
ciytrw.xyz
cb095.pro
royalreshortbooking.xyz
studio29photography.com
62472.xyz
offerseshop.com
xn--mjru74buk5boca.store
jzzkjvaz.com
qzbt7s.com
atsinvest.com
goldengoosemultiplier.com
investing-courses-66663.bond
blueflamenews.com
xn--72cb0bab2pc6b3j3b.com
damtv24.xyz
ya1w.top
margueritemeilleure.com
zinittech.com
testingdomain.xyz
zakenlatyn.xyz
jungdofire.com
jackpfenninger.com
comfyquiltsbysusan.com
weststarconstructions.com
accrevcenglobal.com
ok9km1.fun
cxbqchm.life
review-with-hossain.com
webmedianews.com
visioncaretutor.com
r9x4g.xyz
nicorinehart.com
airhead.icu
genesisproj.online
hebatduta77.com
xiaopangonsol.com
cilynder.com
nestnerd.xyz
95476.photos
wearepartisan.rocks
snowshop4.com
podoc.fun
psicologaceciliabarros.com
klassens.info
therocketlobsters.com
world-palace.com
antibirdnetservices.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2768-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3036-22-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2776 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exemsdt.exedescription pid process target process PID 2300 set thread context of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2768 set thread context of 1180 2768 MalwareBazaar.exe Explorer.EXE PID 3036 set thread context of 1180 3036 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
MalwareBazaar.exepowershell.exemsdt.exepid process 2768 MalwareBazaar.exe 2768 MalwareBazaar.exe 2332 powershell.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe 3036 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MalwareBazaar.exemsdt.exepid process 2768 MalwareBazaar.exe 2768 MalwareBazaar.exe 2768 MalwareBazaar.exe 3036 msdt.exe 3036 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MalwareBazaar.exepowershell.exemsdt.exedescription pid process Token: SeDebugPrivilege 2768 MalwareBazaar.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeDebugPrivilege 3036 msdt.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
MalwareBazaar.exeExplorer.EXEmsdt.exedescription pid process target process PID 2300 wrote to memory of 2332 2300 MalwareBazaar.exe powershell.exe PID 2300 wrote to memory of 2332 2300 MalwareBazaar.exe powershell.exe PID 2300 wrote to memory of 2332 2300 MalwareBazaar.exe powershell.exe PID 2300 wrote to memory of 2332 2300 MalwareBazaar.exe powershell.exe PID 2300 wrote to memory of 584 2300 MalwareBazaar.exe schtasks.exe PID 2300 wrote to memory of 584 2300 MalwareBazaar.exe schtasks.exe PID 2300 wrote to memory of 584 2300 MalwareBazaar.exe schtasks.exe PID 2300 wrote to memory of 584 2300 MalwareBazaar.exe schtasks.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 2300 wrote to memory of 2768 2300 MalwareBazaar.exe MalwareBazaar.exe PID 1180 wrote to memory of 3036 1180 Explorer.EXE msdt.exe PID 1180 wrote to memory of 3036 1180 Explorer.EXE msdt.exe PID 1180 wrote to memory of 3036 1180 Explorer.EXE msdt.exe PID 1180 wrote to memory of 3036 1180 Explorer.EXE msdt.exe PID 3036 wrote to memory of 2776 3036 msdt.exe cmd.exe PID 3036 wrote to memory of 2776 3036 msdt.exe cmd.exe PID 3036 wrote to memory of 2776 3036 msdt.exe cmd.exe PID 3036 wrote to memory of 2776 3036 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\emFutmUjEJiXFv.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emFutmUjEJiXFv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF364.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:584 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2768 -
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Deletes itself
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52809f077ae30f9173401c6452be8aeca
SHA173989777b0826f86501b346856b86479488fb997
SHA256ee8b580df4d2377344f645197db824e0b84c8a798f649379bd735c3cef57e525
SHA512cad822b2f59d82f81a9e9808734bf326249cc183292717148c8b64660cf97394699acaff6b384c737dfe4f015c12d034b11b1f0b87335044ea13ae0f74c80a84