Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 07:11
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
General
-
Target
MalwareBazaar.exe
-
Size
691KB
-
MD5
47a2a7a19ce5697f30aec774d5b7f9b7
-
SHA1
dfa50083c7dd8caabdf1abf9a72cee128c32fe3c
-
SHA256
f8a6d38a7a548a8621059aaaa87265c7c8d164b0f8eac7f6c0f7e4ec201de4a2
-
SHA512
59c08155dce6e69a1d0abb43f0df5711f5dc40707f88e8dd12660092710f142d8b8a2fbf2c19b4f2deb7c637245914038f25bb586ce9e53b9ed6eb62fb072feb
-
SSDEEP
12288:baODWx2PQfDxCP5M90yYgo2HckARGXHn4tOBPb5np2Fna1u4HkR:bxawMDIGiIJ0GXHnaONnp8n2S
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2484 powershell.exe 2004 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
MalwareBazaar.exepowershell.exepowershell.exepid process 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2056 MalwareBazaar.exe 2484 powershell.exe 2004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
MalwareBazaar.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2056 MalwareBazaar.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 2484 powershell.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2056 wrote to memory of 2484 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2484 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2484 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2484 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2004 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2004 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2004 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2004 2056 MalwareBazaar.exe powershell.exe PID 2056 wrote to memory of 2280 2056 MalwareBazaar.exe schtasks.exe PID 2056 wrote to memory of 2280 2056 MalwareBazaar.exe schtasks.exe PID 2056 wrote to memory of 2280 2056 MalwareBazaar.exe schtasks.exe PID 2056 wrote to memory of 2280 2056 MalwareBazaar.exe schtasks.exe PID 2056 wrote to memory of 2240 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2240 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2240 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2240 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2956 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2956 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2956 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2956 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2720 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2720 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2720 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2720 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2876 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2876 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2876 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2876 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2568 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2568 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2568 2056 MalwareBazaar.exe MalwareBazaar.exe PID 2056 wrote to memory of 2568 2056 MalwareBazaar.exe MalwareBazaar.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDvhFxac.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDvhFxac" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD192.tmp"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2280 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵PID:2240
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵PID:2876
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58b90569a8036afdf21a9af08b3dfd7d0
SHA1c09fc21668399099476b2d6352effe1dc87b13f6
SHA256af6501f94ec1a6ffbc600482ffbba33dae6efacf2b00f1dadc3eaa850a4339e6
SHA512d9ae1dcd38e2c2db229a6b7fa726da27357daafd543466abf0134779f569fc6d79682ee1abcc483d3e41a40da2a7c6d723430afa3fce3a470b335dcb01c38d29
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57c614a52d86c0c21d06add4afa82fe0f
SHA139730362f6a1dea71ada7901af8c8cc8959ebe19
SHA2561c594964a2a4c059aab6ccf655b01a6f3febc7cb6a0998f2fcc85b7fa3da9316
SHA51264364a6153d2176a879dbcb67f3259b8b5354e8a80b5c0d1cfff8a695d48e33530f2d9d261fadbaa71198a981bc05a2b41938591b20f5fcf79ad4a3ae8f7f276