Overview

overview

10

Static

static

4f1923485e...a3.exe

windows7_x64

10

4f1923485e...a3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    176s
  • max time network
    64s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    13-05-2022 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3.exe

  • Size

    977KB

  • MD5

    f000ca9522aafa0c54b863528228a43b

  • SHA1

    c636e88b9e8079ba086f5cdb132fa39e747d0f23

  • SHA256

    4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3

  • SHA512

    ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d

Score
10/10
bandookpersistencerattrojan

Malware Config

Signatures

  • Bandook Payload 4 IoCs
  • Bandook RAT

    Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    rattrojanbandook
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 47 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3.exe
    "C:\Users\Admin\AppData\Local\Temp\4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1512
    • C:\Users\Admin\AppData\Local\Temp\4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3.exe
      "C:\Users\Admin\AppData\Local\Temp\4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:276
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:628
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • Adds Run key to start application
          PID:1180
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
            PID:1696
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            3⤵
            • Adds Run key to start application
            PID:2028
      • C:\Windows\system32\mmc.exe
        "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
        1⤵
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1376
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe"
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:672

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\bbc\bbc.exe
        Filesize

        977KB

        MD5

        f000ca9522aafa0c54b863528228a43b

        SHA1

        c636e88b9e8079ba086f5cdb132fa39e747d0f23

        SHA256

        4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3

        SHA512

        ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d

        Download Submit
      • memory/276-54-0x0000000013140000-0x0000000013B93000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/276-56-0x0000000013140000-0x0000000013B93000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/276-57-0x0000000013149793-mapping.dmp
        Download
      • memory/276-59-0x0000000076421000-0x0000000076423000-memory.dmp
        Filesize

        8KB

        Download
      • memory/276-60-0x0000000013140000-0x0000000013B93000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/276-61-0x0000000013140000-0x0000000013B93000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/1376-62-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1376-63-0x000007FEF2730000-0x000007FEF3153000-memory.dmp
        Filesize

        10.1MB

        Download
      • memory/1376-64-0x000007FEEE1A0000-0x000007FEEF236000-memory.dmp
        Filesize

        16.6MB

        Download
      • memory/1376-65-0x000000001D910000-0x000000001D929000-memory.dmp
        Filesize

        100KB

        Download
      • memory/1376-66-0x0000000004158000-0x0000000004177000-memory.dmp
        Filesize

        124KB

        Download