Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    18-07-2024 07:11

General

  • Target

    MalwareBazaar.exe

  • Size

    691KB

  • MD5

    47a2a7a19ce5697f30aec774d5b7f9b7

  • SHA1

    dfa50083c7dd8caabdf1abf9a72cee128c32fe3c

  • SHA256

    f8a6d38a7a548a8621059aaaa87265c7c8d164b0f8eac7f6c0f7e4ec201de4a2

  • SHA512

    59c08155dce6e69a1d0abb43f0df5711f5dc40707f88e8dd12660092710f142d8b8a2fbf2c19b4f2deb7c637245914038f25bb586ce9e53b9ed6eb62fb072feb

  • SSDEEP

    12288:baODWx2PQfDxCP5M90yYgo2HckARGXHn4tOBPb5np2Fna1u4HkR:bxawMDIGiIJ0GXHnaONnp8n2S

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
    "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDvhFxac.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2004
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDvhFxac" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD192.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2280
    • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
      "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
      2⤵
        PID:2240
      • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
        "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
        2⤵
          PID:2956
        • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
          "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
          2⤵
            PID:2720
          • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
            "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
            2⤵
              PID:2876
            • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
              "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
              2⤵
                PID:2568

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpD192.tmp

              Filesize

              1KB

              MD5

              8b90569a8036afdf21a9af08b3dfd7d0

              SHA1

              c09fc21668399099476b2d6352effe1dc87b13f6

              SHA256

              af6501f94ec1a6ffbc600482ffbba33dae6efacf2b00f1dadc3eaa850a4339e6

              SHA512

              d9ae1dcd38e2c2db229a6b7fa726da27357daafd543466abf0134779f569fc6d79682ee1abcc483d3e41a40da2a7c6d723430afa3fce3a470b335dcb01c38d29

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

              Filesize

              7KB

              MD5

              7c614a52d86c0c21d06add4afa82fe0f

              SHA1

              39730362f6a1dea71ada7901af8c8cc8959ebe19

              SHA256

              1c594964a2a4c059aab6ccf655b01a6f3febc7cb6a0998f2fcc85b7fa3da9316

              SHA512

              64364a6153d2176a879dbcb67f3259b8b5354e8a80b5c0d1cfff8a695d48e33530f2d9d261fadbaa71198a981bc05a2b41938591b20f5fcf79ad4a3ae8f7f276

            • memory/2056-0-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

              Filesize

              4KB

            • memory/2056-1-0x0000000000360000-0x0000000000410000-memory.dmp

              Filesize

              704KB

            • memory/2056-2-0x0000000073E70000-0x000000007455E000-memory.dmp

              Filesize

              6.9MB

            • memory/2056-3-0x00000000005B0000-0x00000000005CA000-memory.dmp

              Filesize

              104KB

            • memory/2056-4-0x0000000000880000-0x000000000088E000-memory.dmp

              Filesize

              56KB

            • memory/2056-5-0x0000000004DE0000-0x0000000004E56000-memory.dmp

              Filesize

              472KB

            • memory/2056-18-0x0000000073E70000-0x000000007455E000-memory.dmp

              Filesize

              6.9MB