e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce

Analysis

max time kernel
131s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MalwareBazaar.exe
Size

214KB
MD5

3e63f636a493ee210b6627e63c954665
SHA1

07edabeb3c3375043de5a0a2af222a9888e40c75
SHA256

e00c78c89894028be70f0125ab20cc5919d39930fb98d01b367c3f05d69029ce
SHA512

4bea9a7c13ff9543532bbbb5ef1497bf3d31d03d1629365d962e953695ebc4d77dde329b451e1b07cdf18c3883d22df2e58b2602e116e32bc4292e027b2c0a42
SSDEEP

6144:oNeZg14JHXuf5KmE+rZOuTdcC2xIC90pLXg4Psgf:oN8HXG1NOiSPxbCLX7PsO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

gynoox.exe

pid	Process
2692	gynoox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4072	2692	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MalwareBazaar.exegynoox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MalwareBazaar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gynoox.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

MalwareBazaar.exegynoox.exe

description	pid	Process	procid_target
PID 2876 wrote to memory of 2692	2876	MalwareBazaar.exe	85
PID 2876 wrote to memory of 2692	2876	MalwareBazaar.exe	85
PID 2876 wrote to memory of 2692	2876	MalwareBazaar.exe	85
PID 2692 wrote to memory of 1432	2692	gynoox.exe	86
PID 2692 wrote to memory of 1432	2692	gynoox.exe	86
PID 2692 wrote to memory of 1432	2692	gynoox.exe	86

C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\gynoox.exe
  C:\Users\Admin\AppData\Local\Temp\gynoox.exe C:\Users\Admin\AppData\Local\Temp\jbvzhvisee
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\gynoox.exe
    C:\Users\Admin\AppData\Local\Temp\gynoox.exe C:\Users\Admin\AppData\Local\Temp\jbvzhvisee
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 520
    3⤵
    - Program crash
    PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2692 -ip 2692
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gynoox.exe

Filesize
3KB

MD5
c81d16f671e6bdf7f5ae1c7003856717

SHA1
031ae8483b93c7040fb327d1141dfafa636b75bb

SHA256
ea757de6b7cb2593fbdac083b42f2143812370c864e30c8c461de152664e9a1f

SHA512
f08e25b1f3ba7e58b4f4993b4cf4079e45c132dc85f6f323eba83c4a92d61e76c74a0b264802aabc031f08f13d291d1c6556bd8d7747ba5f37b306346bc732f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbvzhvisee

Filesize
5KB

MD5
14eb81fc11bc5a7519e1d13d9c8db270

SHA1
e7fb259e2d54e8d489c31394f4972f8c983a10f6

SHA256
fc71e6c40f10c1e7168aafbc20e02af04e4d6e20c5eeed30d337e22f7f3eb4e5

SHA512
35c2ae89f4927d3c5e78c05f28203c00ba6ba5de10b0f11ab1573114c5170921ea6412a90b2992b2a5efafb59757c9b0810b3bda86293e9fe5b02e03f225a08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6nbf21ha3fbj

Filesize
163KB

MD5
608f25eda319b6b7ff254ae53a9e8705

SHA1
22fb3e020a4d186fd6e66604754e42c94e546e44

SHA256
828363931d3b8d883bc873ca92fdfe5c84937f030c1907868d7e8cecd2ca08e4

SHA512
fac692824d87c2017ec1a4a2f5a642a0f89403c174933e1c7077e0e1098ea3f63a5ecf5ac7107e5c6d440c120b40c01bb2bc812d1c3d50dafe3229b9e66cb1eb

Download Submit
memory/2692-8-0x0000000000500000-0x0000000000502000-memory.dmp

Filesize
8KB

Download