2b9e2bdeb348be368e9cafd06c15414bbe725af32a8c40ee56c3266db8a5b2a3

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/BulbaZ.exe
Size

51KB
MD5

671037658a67820363d670b4e2c3fa17
SHA1

bbae9179361f49ccdccfd4338bb108ffc1d4118a
SHA256

8bd3ee1d96fdfd71f84cdf404bf33d50d1032eb5ae8bbe45da2de693d23bf6dd
SHA512

5d79862596e234349e0fac8b904d23369d0c5b8f2ab958744b320fd0e6f3374def18f812c54f7dc7246c8cc6ed94ff503a6be53311a42fcaa39d6d9adef124eb
SSDEEP

384:3dc83wVFJoJ8nI/SV65XSxbihO2KZYTZbrrNGB5nYLEyw4VmkvwKwq6u7H:Nc8Ebio2JTZimEEh

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	BulbaZ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	BulbaZ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	BulbaZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	BulbaZ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	BulbaZ.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	BulbaZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	BulbaZ.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2888	powershell.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2396	BulbaZ.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	BulbaZ.exe
Token: SeDebugPrivilege	2888	powershell.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe
2396	BulbaZ.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2888	2396	BulbaZ.exe	31
PID 2396 wrote to memory of 2888	2396	BulbaZ.exe	31
PID 2396 wrote to memory of 2888	2396	BulbaZ.exe	31

C:\Users\Admin\AppData\Local\Temp\Debug\BulbaZ.exe
"C:\Users\Admin\AppData\Local\Temp\Debug\BulbaZ.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -NoProfile -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2396-19-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-1-0x000000013FAA0000-0x000000013FAB2000-memory.dmp

Filesize
72KB

Download
memory/2396-2-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2396-3-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-5-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-23-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2396-22-0x000007FEF51C0000-0x000007FEF5BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-21-0x000000001E5E0000-0x000000001E5F0000-memory.dmp

Filesize
64KB

Download
memory/2396-0-0x000007FEF51C3000-0x000007FEF51C4000-memory.dmp

Filesize
4KB

Download
memory/2396-20-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2888-11-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2888-17-0x000007FEECAD0000-0x000007FEED46D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-16-0x000007FEECAD0000-0x000007FEED46D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-18-0x000007FEECAD0000-0x000007FEED46D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-15-0x000007FEECAD0000-0x000007FEED46D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-14-0x000007FEECAD0000-0x000007FEED46D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-12-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2888-13-0x000007FEECAD0000-0x000007FEED46D000-memory.dmp

Filesize
9.6MB

Download
memory/2888-10-0x000007FEECD8E000-0x000007FEECD8F000-memory.dmp

Filesize
4KB

Download