Analysis
-
max time kernel
93s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 16:00
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
2.0MB
-
MD5
6e4e01af6b88116f0c7331bba5e7b782
-
SHA1
756c0a5ea8aac86f41d118166452a011a608043c
-
SHA256
5a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
-
SHA512
f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b
-
SSDEEP
24576:jYe7C5QSBzoU/n15NuQtG+7IwzwT2wLqq12OBOa2WYO3QFSBztYSqEEU5oZUSzTO:jYemPM0tvmwGBF223ZztBqEqx9v
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 5 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\", \"C:\\Windows\\schemas\\fontdrvhost.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\", \"C:\\Windows\\schemas\\fontdrvhost.exe\", \"C:\\Users\\Admin\\3D Objects\\unsecapp.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\", \"C:\\Windows\\schemas\\fontdrvhost.exe\", \"C:\\Users\\Admin\\3D Objects\\unsecapp.exe\", \"C:\\Windows\\apppatch\\it-IT\\RuntimeBroker.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\", \"C:\\Windows\\schemas\\fontdrvhost.exe\", \"C:\\Users\\Admin\\3D Objects\\unsecapp.exe\", \"C:\\Windows\\apppatch\\it-IT\\RuntimeBroker.exe\", \"C:\\Windows\\Help\\en-US\\MalwareBazaar.exe\"" MalwareBazaar.exe -
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4916 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2712 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4320 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1444 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1132 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3996 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4636 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 644 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1308 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4608 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2740 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 2740 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/1228-1-0x0000000000F60000-0x000000000116E000-memory.dmp dcrat C:\Windows\Help\en-US\MalwareBazaar.exe dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MalwareBazaar.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation MalwareBazaar.exe -
Executes dropped EXE 1 IoCs
Processes:
MalwareBazaar.exepid process 2620 MalwareBazaar.exe -
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\apppatch\\it-IT\\RuntimeBroker.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareBazaar = "\"C:\\Windows\\Help\\en-US\\MalwareBazaar.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MalwareBazaar = "\"C:\\Windows\\Help\\en-US\\MalwareBazaar.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Defender\\it-IT\\csrss.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\schemas\\fontdrvhost.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\schemas\\fontdrvhost.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\3D Objects\\unsecapp.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\3D Objects\\unsecapp.exe\"" MalwareBazaar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\apppatch\\it-IT\\RuntimeBroker.exe\"" MalwareBazaar.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Drops file in Program Files directory 3 IoCs
Processes:
MalwareBazaar.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\it-IT\886983d96e3d3e MalwareBazaar.exe File created C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe MalwareBazaar.exe File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe MalwareBazaar.exe -
Drops file in Windows directory 6 IoCs
Processes:
MalwareBazaar.exedescription ioc process File created C:\Windows\schemas\fontdrvhost.exe MalwareBazaar.exe File created C:\Windows\schemas\5b884080fd4f94 MalwareBazaar.exe File created C:\Windows\apppatch\it-IT\RuntimeBroker.exe MalwareBazaar.exe File created C:\Windows\apppatch\it-IT\9e8d7a4ca61bd9 MalwareBazaar.exe File created C:\Windows\Help\en-US\MalwareBazaar.exe MalwareBazaar.exe File created C:\Windows\Help\en-US\0f0ead8ed346f8 MalwareBazaar.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4916 schtasks.exe 2712 schtasks.exe 1260 schtasks.exe 1904 schtasks.exe 644 schtasks.exe 1508 schtasks.exe 3816 schtasks.exe 1444 schtasks.exe 3996 schtasks.exe 4608 schtasks.exe 4320 schtasks.exe 1132 schtasks.exe 4636 schtasks.exe 3652 schtasks.exe 1308 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exepid process 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 1228 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe 2620 MalwareBazaar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
MalwareBazaar.exeMalwareBazaar.exedescription pid process Token: SeDebugPrivilege 1228 MalwareBazaar.exe Token: SeDebugPrivilege 2620 MalwareBazaar.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 1228 wrote to memory of 2620 1228 MalwareBazaar.exe MalwareBazaar.exe PID 1228 wrote to memory of 2620 1228 MalwareBazaar.exe MalwareBazaar.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\Help\en-US\MalwareBazaar.exe"C:\Windows\Help\en-US\MalwareBazaar.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\schemas\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\schemas\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\apppatch\it-IT\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\apppatch\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MalwareBazaarM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\MalwareBazaar.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MalwareBazaar" /sc ONLOGON /tr "'C:\Windows\Help\en-US\MalwareBazaar.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MalwareBazaarM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\MalwareBazaar.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
2.0MB
MD56e4e01af6b88116f0c7331bba5e7b782
SHA1756c0a5ea8aac86f41d118166452a011a608043c
SHA2565a335f4ea90b29144cf268dccdc8f8e1757e57cccc941cc7334b8f4bd7999147
SHA512f49b6146f313624606a9eb80287c23c68aaefcf7ffafacba83a87b333b4388dd38a423a179b7bcb0e1d555873681b405c781faf68e2d7169fa7bcefe4a73874b