Overview

overview

8

Static

static

3

MalwareBazaar.exe

windows7-x64

8

MalwareBazaar.exe

windows10-2004-x64

8

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    19/07/2024, 11:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    MalwareBazaar.exe

  • Size

    579KB

  • MD5

    82e05156319ce8558bb9814e8f5b8b3b

  • SHA1

    feabed6a81531fdd7914e0bde1c7897f15289183

  • SHA256

    bcdac7905393303943a3615a6ba4fd14825579c9d18edad04dd02ff0ea9f8f93

  • SHA512

    fa4667dd96af551587bafac4569d466e5e1d46f36d792bd3bfe802a02d8840bae3db396d3bc5dba882651acf1725a69acf0622d2935b14893bc9502ab4441d0e

  • SSDEEP

    12288:sCn4AyHnbC3u0Y9gpbb3IKYh5f6kZ0yYwEC:/nEnbP4bb3+/6pyYe

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
    "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Bargain=Get-Content 'C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Vadefugleomraades.Loc';$Slutnumre=$Bargain.SubString(11548,3);.$Slutnumre($Bargain)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Program Files (x86)\windows mail\wab.exe
        "C:\Program Files (x86)\windows mail\wab.exe"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        PID:2876

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Cab34A9.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar34BC.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Oversummer.Dar
          Filesize

          324KB

          MD5

          27c1f246b56bb1a919e46e49597fdfe1

          SHA1

          c45ca5d47610e5805ae3367a1fb93a30059041cf

          SHA256

          75c827fa3d7f58b026b4f00cb9f6b92592ef4c104b53ea98c3baeb8fb7aa22e9

          SHA512

          b13cc337f75df69a5f56f7366c73715bad720756328478ca0993ae0f25aa530825f1c568bc4aa6ace64ae8ee9d0ed0e1b427a76e28f84168c5f7393141e4c090

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Watertown136\Brevskolen141\Receptiv147\Vadefugleomraades.Loc
          Filesize

          69KB

          MD5

          a6dd400b11511dd7f7039be58723807c

          SHA1

          3332a1e0d0ac319c84d2bae0d21f911b0591ae14

          SHA256

          d6b0d48b470152dade3404faa67116396b68248bd1ec5521791354bab346b279

          SHA512

          010f1765c339a042f33c0d8140e341b5d7f832a75a60fe53c595667e62223936bf8f522b15137a30aa6a7350d74f3cdc0efd2955e30b8c4d223d616a4bf32c15

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nseE16B.tmp\BgImage.dll
          Filesize

          7KB

          MD5

          49998d066af103d06b56f5b4c76b1497

          SHA1

          b7dce166147f40dfa17f5ca950c4e324a10d04be

          SHA256

          95042dbe7428461ee7fd210acf37040eb921012c7b32f66cb54766f0a16bb5b6

          SHA512

          61b0d75ef3a18c8c13ad8c614a012a71cbc4f6fd4bba0aa0c7b866e1a8fbf5f9fdb3e012a3566586d47fc8b456a7de36a06a0d70cdf27e504aac64eab37555d7

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nseE16B.tmp\nsDialogs.dll
          Filesize

          9KB

          MD5

          19d3373e403a6e724cfa1563dfd1f463

          SHA1

          4917547b355a91e9431879209f56925097bf4fb3

          SHA256

          873fa0c52eae7cfbed56ea18b21fad0ca8f018ab7f305bd1db1a3ec454e353d1

          SHA512

          b6f6db23376ade4bb864ea14244980612f42f322d3915540090bfe8edc80e9577b7aec3589bd587ca47a729371ed8ab8e6e23031bb3e3f524d48783637646193

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nseE16B.tmp\nsExec.dll
          Filesize

          6KB

          MD5

          6c881f00ba860b17821d8813aa34dbc6

          SHA1

          0e5a1e09b1ce1bc758d6977b913a8d9ccbe52a13

          SHA256

          bcb93204bd1854d0c34fa30883bab51f6813ab32abf7fb7d4aeed21d71f6af87

          SHA512

          c78d6f43aa9bb35260a7bd300392ce809282660283fa6cb3059bae50d6db229b0b853cab7c949d4bdf19309fb183257b1c9feb01a66347e1c0adeb21543315b6

          Download Submit

        • memory/2240-36-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-37-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-42-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-38-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-44-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-45-0x0000000006730000-0x000000000AB19000-memory.dmp

          Filesize

          67.9MB

          Download

        • memory/2240-46-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-39-0x0000000074100000-0x00000000746AB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2240-35-0x0000000074101000-0x0000000074102000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2876-99-0x0000000000D30000-0x0000000001D92000-memory.dmp

          Filesize

          16.4MB

          Download