Analysis
-
max time kernel
146s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 07:16
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240708-en
General
-
Target
MalwareBazaar.exe
-
Size
677KB
-
MD5
6c63cd4270013e1d03abde4d6acf18fe
-
SHA1
70a81b1b6d7b773d48e6293d23cb7858d69d4a7b
-
SHA256
94f29a8158717b4c268b41e8eb72bc7301f2d4578dc41a06deabe79ff8e767dd
-
SHA512
e05335e284dc5941fe678f24307ea08d5a5a12ce769cc1be1541cc544f3eac99970f6757e0dd93b687569f165e4bb022965be87fc3041095d718abd9f904d0d8
-
SSDEEP
12288:BJbDWx2PQf9YGtFgiscZBpOf9DtMu461PxlWGsxthsQYG:BFawMZ/g0p0su163HyQYG
Malware Config
Extracted
formbook
4.1
h209
sbtstuff.site
omlyes.com
movershifting.com
gearballer.com
oketoto.pro
myringleader.com
lrcjc750s.xyz
ata2024.xyz
password-manager-89409.bond
aiassistanthub.net
changvolt.cfd
netino.site
wear-wale.com
omnipresenceagency.com
huangguan.ooo
propersonnelmedia.com
9332952.com
k3s.support
ciytrw.xyz
cb095.pro
royalreshortbooking.xyz
studio29photography.com
62472.xyz
offerseshop.com
xn--mjru74buk5boca.store
jzzkjvaz.com
qzbt7s.com
atsinvest.com
goldengoosemultiplier.com
investing-courses-66663.bond
blueflamenews.com
xn--72cb0bab2pc6b3j3b.com
damtv24.xyz
ya1w.top
margueritemeilleure.com
zinittech.com
testingdomain.xyz
zakenlatyn.xyz
jungdofire.com
jackpfenninger.com
comfyquiltsbysusan.com
weststarconstructions.com
accrevcenglobal.com
ok9km1.fun
cxbqchm.life
review-with-hossain.com
webmedianews.com
visioncaretutor.com
r9x4g.xyz
nicorinehart.com
airhead.icu
genesisproj.online
hebatduta77.com
xiaopangonsol.com
cilynder.com
nestnerd.xyz
95476.photos
wearepartisan.rocks
snowshop4.com
podoc.fun
psicologaceciliabarros.com
klassens.info
therocketlobsters.com
world-palace.com
antibirdnetservices.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/932-30-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/932-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2872-71-0x0000000000D00000-0x0000000000D2F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MalwareBazaar.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation MalwareBazaar.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exenetsh.exedescription pid process target process PID 2952 set thread context of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 932 set thread context of 3456 932 MalwareBazaar.exe Explorer.EXE PID 2872 set thread context of 3456 2872 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
MalwareBazaar.exepowershell.exeMalwareBazaar.exenetsh.exepid process 2952 MalwareBazaar.exe 2952 MalwareBazaar.exe 2952 MalwareBazaar.exe 2952 MalwareBazaar.exe 4872 powershell.exe 932 MalwareBazaar.exe 932 MalwareBazaar.exe 932 MalwareBazaar.exe 932 MalwareBazaar.exe 4872 powershell.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe 2872 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
MalwareBazaar.exenetsh.exepid process 932 MalwareBazaar.exe 932 MalwareBazaar.exe 932 MalwareBazaar.exe 2872 netsh.exe 2872 netsh.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
MalwareBazaar.exepowershell.exeMalwareBazaar.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2952 MalwareBazaar.exe Token: SeDebugPrivilege 4872 powershell.exe Token: SeDebugPrivilege 932 MalwareBazaar.exe Token: SeDebugPrivilege 2872 netsh.exe Token: SeShutdownPrivilege 3456 Explorer.EXE Token: SeCreatePagefilePrivilege 3456 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3456 Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
MalwareBazaar.exeExplorer.EXEnetsh.exedescription pid process target process PID 2952 wrote to memory of 4872 2952 MalwareBazaar.exe powershell.exe PID 2952 wrote to memory of 4872 2952 MalwareBazaar.exe powershell.exe PID 2952 wrote to memory of 4872 2952 MalwareBazaar.exe powershell.exe PID 2952 wrote to memory of 1328 2952 MalwareBazaar.exe schtasks.exe PID 2952 wrote to memory of 1328 2952 MalwareBazaar.exe schtasks.exe PID 2952 wrote to memory of 1328 2952 MalwareBazaar.exe schtasks.exe PID 2952 wrote to memory of 1600 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 1600 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 1600 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 4884 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 4884 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 4884 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 2952 wrote to memory of 932 2952 MalwareBazaar.exe MalwareBazaar.exe PID 3456 wrote to memory of 2872 3456 Explorer.EXE netsh.exe PID 3456 wrote to memory of 2872 3456 Explorer.EXE netsh.exe PID 3456 wrote to memory of 2872 3456 Explorer.EXE netsh.exe PID 2872 wrote to memory of 2396 2872 netsh.exe cmd.exe PID 2872 wrote to memory of 2396 2872 netsh.exe cmd.exe PID 2872 wrote to memory of 2396 2872 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\emFutmUjEJiXFv.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emFutmUjEJiXFv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB0D1.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵PID:4884
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:932 -
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3680
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5b2b83b1ae858e53d28b6e3acc7ef7767
SHA1e19b9db24bacaf1c7abf4a48fe340953cc5f7a6d
SHA2563b6c9c5c254ccef0fef268895bc9e1ea7161f8d32d71869a8a50f7759f058ca4
SHA5125b5b1656ab8ca70b8af6c7f7cc877127c0d65730423637840f44cf1ff7f464d66561eb4eee44a6f82d875660d2bc6f1eb0629c3f8fb4dbc9ff0255a8eea4e053