Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/08/2024, 07:06
Static task
static1
Behavioral task
behavioral1
Sample
MalwareBazaar.exe
Resource
win7-20240729-en
General
-
Target
MalwareBazaar.exe
-
Size
653KB
-
MD5
f205c1fbf5d8a384899c2d4c25866f70
-
SHA1
51fd6812d379d3f16ea7c331b64e3df03bb16558
-
SHA256
5a4a51d74e1843630ec0749d480f0057efd6d0b3e867253d1e871f6394171dc7
-
SHA512
40806add39344f56a55f32707a7a5402f9aa96d4a6512ee5daaa93c8bd3e2336ef81999183deaf61cea446ff68ee1dd96e73bbb72ee3e480d16ac2544b18c773
-
SSDEEP
12288:BWxa/zmcDXmoamqD+iejZKSK9q0ypKXt7jblMHrtxxGXFKgs8ZkR:BWxaakvamqKioJKuSljZMLHM1KV8E
Malware Config
Extracted
formbook
4.1
ps15
57797.asia
jhpwt.net
basketballdrillsforkids.com
zgzf6.rest
casinomaxnodepositbonus.icu
uptocryptonews.com
gomenasorry.com
fortanix.space
stripscity.xyz
genbotdiy.xyz
mayson-wedding.com
neb-hub.net
seancollinsmusic.com
migraine-treatment-57211.bond
prosperawoman.info
tradefairleads.tech
xn--yeminlitercme-6ob.com
xwaveevent.com
fashiontrendshub.xyz
window-replacement-80823.bond
simplesculpt.online
ellipsive.com
urbandollsllc.com
kgwcmx.xyz
marabudigital.online
abcblindcompany.com
seraphmovement.com
overrideapp.com
holistichealthviews.com
lovemyhome.online
mullermachinery.com
packsperfeitas.shop
gmgex1.com
jlk168.com
xyz-hd.xyz
happysmall.online
phwin777.vip
market-pam.com
kling-ai.xyz
kaidifeiniroo.net
822963429.xyz
bet4win99.com
ryuk-studio.com
tricianihaonewyork.net
plasoi.xyz
mi006.com
briefout.cloud
urbangrowcity.fun
yrund.asia
morningritualtemplate.com
eehuvvqj.xyz
flymgl.com
ux75.top
bluemarblen5d.com
trezorsuite.net
thepeacedealers.com
harlemshake-burgers.com
thesvacha.com
usdj.xyz
stdaev.com
your-coffee-to-talk.com
passrmale.com
resmierabaru20.shop
window-replacement-22581.bond
33pgaaa.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2832-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2832-25-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2596-27-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2760 powershell.exe 2844 powershell.exe -
Deletes itself 1 IoCs
pid Process 1232 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2584 set thread context of 2832 2584 MalwareBazaar.exe 37 PID 2832 set thread context of 1208 2832 MalwareBazaar.exe 21 PID 2832 set thread context of 1208 2832 MalwareBazaar.exe 21 PID 2596 set thread context of 1208 2596 help.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MalwareBazaar.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language help.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2748 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2832 MalwareBazaar.exe 2832 MalwareBazaar.exe 2760 powershell.exe 2844 powershell.exe 2832 MalwareBazaar.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe 2596 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2832 MalwareBazaar.exe 2832 MalwareBazaar.exe 2832 MalwareBazaar.exe 2832 MalwareBazaar.exe 2596 help.exe 2596 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2832 MalwareBazaar.exe Token: SeDebugPrivilege 2760 powershell.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 2596 help.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2584 wrote to memory of 2760 2584 MalwareBazaar.exe 31 PID 2584 wrote to memory of 2760 2584 MalwareBazaar.exe 31 PID 2584 wrote to memory of 2760 2584 MalwareBazaar.exe 31 PID 2584 wrote to memory of 2760 2584 MalwareBazaar.exe 31 PID 2584 wrote to memory of 2844 2584 MalwareBazaar.exe 33 PID 2584 wrote to memory of 2844 2584 MalwareBazaar.exe 33 PID 2584 wrote to memory of 2844 2584 MalwareBazaar.exe 33 PID 2584 wrote to memory of 2844 2584 MalwareBazaar.exe 33 PID 2584 wrote to memory of 2748 2584 MalwareBazaar.exe 35 PID 2584 wrote to memory of 2748 2584 MalwareBazaar.exe 35 PID 2584 wrote to memory of 2748 2584 MalwareBazaar.exe 35 PID 2584 wrote to memory of 2748 2584 MalwareBazaar.exe 35 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 2584 wrote to memory of 2832 2584 MalwareBazaar.exe 37 PID 1208 wrote to memory of 2596 1208 Explorer.EXE 55 PID 1208 wrote to memory of 2596 1208 Explorer.EXE 55 PID 1208 wrote to memory of 2596 1208 Explorer.EXE 55 PID 1208 wrote to memory of 2596 1208 Explorer.EXE 55 PID 2596 wrote to memory of 1232 2596 help.exe 56 PID 2596 wrote to memory of 1232 2596 help.exe 56 PID 2596 wrote to memory of 1232 2596 help.exe 56 PID 2596 wrote to memory of 1232 2596 help.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YANEQIBuodfvB.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YANEQIBuodfvB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1C7.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2748
-
-
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1576
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:752
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:844
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1448
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1764
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:396
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1972
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:340
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2908
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2016
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2668
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2044
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1120
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:276
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2512
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2080
-
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1388
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1232
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5535f93e347c521dc84cf5715ae2fcc4c
SHA12801b8cd469c2c625c221fba3e3fcaefcdce086c
SHA256e974225cc5e11b3afe63335a154672e13bc85192f4c6e847b86e88351e985446
SHA51205dea2871554ab2e2f292dfcd6ba271137c191a121e6545c058a3060a9b03dbdfea67fae925a1045a486263b0db0205b8c6e1c8563eef9262efd201f5bf8d769