Analysis Overview
SHA256
c2cf1032ae671d0bcba6d625bc72236b125f864a1bb6114c6b96a8e0c91c6759
Threat Level: Known bad
The file MalwareBazaar.3 was found to be: Known bad.
Malicious Activity Summary
Remcos
Detected Nirsoft tools
Credentials from Password Stores: Credentials from Web Browsers
NirSoft MailPassView
NirSoft WebBrowserPassView
UPX packed file
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
AutoIT Executable
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-07 11:05
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 11:05
Reported
2024-08-07 11:08
Platform
win7-20240704-en
Max time kernel
148s
Max time network
129s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2404 set thread context of 2232 | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2232 set thread context of 2868 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2232 set thread context of 2756 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2232 set thread context of 2364 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\fwnqrmtvlepmovsiujhfe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\pztakeeozmhrrbomduczhrqe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\ztytkopqnuzebpcqufoaswlnztw"
Network
| Country | Destination | Domain | Proto |
| LT | 194.169.175.190:2404 | tcp | |
| LT | 194.169.175.190:2404 | tcp | |
| LT | 194.169.175.190:2404 | tcp |
Files
memory/2404-0-0x0000000000190000-0x000000000036B000-memory.dmp
memory/2404-12-0x0000000000380000-0x0000000000384000-memory.dmp
memory/2232-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-15-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2404-19-0x0000000000190000-0x000000000036B000-memory.dmp
memory/2232-17-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-27-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2868-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2756-33-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2364-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2364-48-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2756-47-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2868-46-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2364-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2364-44-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2364-42-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2756-39-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2868-38-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2756-37-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2868-35-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2868-30-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2868-54-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fwnqrmtvlepmovsiujhfe
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2756-56-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2232-57-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2232-61-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2232-60-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2232-62-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-63-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-64-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-65-0x0000000000400000-0x0000000000482000-memory.dmp
memory/2232-66-0x0000000000400000-0x0000000000482000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 11:05
Reported
2024-08-07 11:08
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
129s
Command Line
Signatures
Remcos
Credentials from Password Stores: Credentials from Web Browsers
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\svchost.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4744 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3624 set thread context of 3784 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3624 set thread context of 4736 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3624 set thread context of 4040 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\SysWOW64\svchost.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\MalwareBazaar.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\apwzjjcyrj"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\drbskcnafrwun"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\drbskcnafrwun"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\Admin\AppData\Local\Temp\nmhkcuyutzozprjh"
Network
| Country | Destination | Domain | Proto |
| LT | 194.169.175.190:2404 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| LT | 194.169.175.190:2404 | tcp | |
| LT | 194.169.175.190:2404 | tcp | |
| US | 8.8.8.8:53 | 190.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4744-0-0x0000000000F70000-0x000000000114B000-memory.dmp
memory/4744-12-0x0000000000F30000-0x0000000000F34000-memory.dmp
memory/3624-13-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-14-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4744-17-0x0000000000F70000-0x000000000114B000-memory.dmp
memory/3624-16-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-19-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-18-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-20-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-21-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-22-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-23-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-24-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-25-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3784-27-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4736-29-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4736-33-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4040-36-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3784-40-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3784-41-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4040-39-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4736-38-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4736-37-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4040-35-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3784-32-0x0000000000400000-0x0000000000478000-memory.dmp
memory/4040-31-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3784-46-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\apwzjjcyrj
| MD5 | a7e181f6aa185be0ab0ca68b30406fe6 |
| SHA1 | 58c86162658dc609615b8b6400f85c92506dfdc8 |
| SHA256 | c3071dc55b94db225d9c0f2c1b21c7e8f27dbfd168b85b7d618d8d19950e7ff2 |
| SHA512 | 49969eb10e0bf7925940eb7374451f811658ef9ccfb83b86fb337c4d06c3ba17eb0181f598d9e0ec9ca25bfaf644209ac47b73d62ac924e73d03a4dcf8f8dd0f |
memory/3624-48-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3624-52-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3624-51-0x0000000010000000-0x0000000010019000-memory.dmp
memory/3624-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-54-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-55-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-56-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-57-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-58-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-59-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-60-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-61-0x0000000000400000-0x0000000000482000-memory.dmp
memory/3624-62-0x0000000000400000-0x0000000000482000-memory.dmp