Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 05:00
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240708-en
General
-
Target
MalwareBazaar.exe
-
Size
1.0MB
-
MD5
7f409fdbf293c9c3ce17a1e540739e24
-
SHA1
ae25b94e4e8c95a5439947b195b1bd2d2f07fa7a
-
SHA256
52183f225975e6fa1a0c7f7917d43911deccf1375e4defa83852d06cb39c5d61
-
SHA512
1ff2d45f978b3d5b67e7dfdb717abcb6a2fc745feeade7308a6798baf8e0f9509078f9b4ff4ea7431184fa31b01fc26a8c0af6981d098849cc9c4743d4b17b58
-
SSDEEP
12288:WurSY+aZrwrmN+wYku7+yY++DSYOfGrT2LcdgrVrvFuVCJVuH71vilSeM93g:p/4rmNNtmY8YORwiPuVCnuH7hwm93
Malware Config
Extracted
remcos
BAREATA
94.156.69.174:7459
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7AD3IP
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2004 powershell.exe 3064 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2984 set thread context of 2588 2984 MalwareBazaar.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2704 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2984 MalwareBazaar.exe 2984 MalwareBazaar.exe 2004 powershell.exe 3064 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2984 MalwareBazaar.exe Token: SeDebugPrivilege 2004 powershell.exe Token: SeDebugPrivilege 3064 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2588 MalwareBazaar.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2004 2984 MalwareBazaar.exe 31 PID 2984 wrote to memory of 2004 2984 MalwareBazaar.exe 31 PID 2984 wrote to memory of 2004 2984 MalwareBazaar.exe 31 PID 2984 wrote to memory of 2004 2984 MalwareBazaar.exe 31 PID 2984 wrote to memory of 3064 2984 MalwareBazaar.exe 33 PID 2984 wrote to memory of 3064 2984 MalwareBazaar.exe 33 PID 2984 wrote to memory of 3064 2984 MalwareBazaar.exe 33 PID 2984 wrote to memory of 3064 2984 MalwareBazaar.exe 33 PID 2984 wrote to memory of 2704 2984 MalwareBazaar.exe 35 PID 2984 wrote to memory of 2704 2984 MalwareBazaar.exe 35 PID 2984 wrote to memory of 2704 2984 MalwareBazaar.exe 35 PID 2984 wrote to memory of 2704 2984 MalwareBazaar.exe 35 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37 PID 2984 wrote to memory of 2588 2984 MalwareBazaar.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AEDsxJ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3064
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AEDsxJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp17C5.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD500ce446c8553c5512537f8d2d1fe542f
SHA1a7f831bde8351b68479360f0cb49c7bcad4ff563
SHA25650c83d71327e9bb58ef40fdb38c99a97a3c9c1c4485201703a8a2b1606079ce0
SHA5126a4c2dc393953ad4c9dd17e774f30d07e525bd33d23579b6017ba2280ec8bfb4431397b5561ff598c6c2c581f109b2b51a8c90474cb20d591701269bd68d0578
-
Filesize
1KB
MD51c9637a3f6eb795b1701161c677b3b52
SHA18239a245055faa647f5a8a1ead4c15990cbd40a2
SHA256259d24d2a2a96b31fb10cc76b4ba11fce64fe79ccba6372ffcc6e84a1e816e79
SHA512a0fbf2920233e4782f0816b65b931c98a6972be73f014ce895246bb14a16347bcd33d362b6538793f03247e110ab4003be45fc1e6afeb24b416df13c4f3b8ec5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD596b633bae0f450dd6b391a7a36287a50
SHA18c38f6a4ce62bc758a5d8aeb2b7be4571ee94c2f
SHA256721720ed413e5135abc5d55cb4384bc466aae3e12ee2672ed0d30dac45f3612e
SHA5128b259af81d3120f3df0642ed2093fed068b7eb64f5796c97a560d82c9f48db88d279acccbd12ffcca95e607ecad3474950e234bbc968661dc2d6010306e1fbcd