Analysis
-
max time kernel
296s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 19:36
Static task
static1
Behavioral task
behavioral1
Sample
13140000.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13140000.exe
Resource
win10v2004-20220414-en
General
-
Target
13140000.exe
-
Size
10.3MB
-
MD5
80b58f43feb6e5b04250961c86e9e891
-
SHA1
bcd22b9e345da4d845b61c20aa429d713a307354
-
SHA256
0a4e59d0906316f0476dd5463ae6b93bb4a98211ff119f267b7320f13960bd47
-
SHA512
8536f888d70638ef5ae94b8d8e7e78b5a0c92a122d9a13563a4467602283f0d17f777acc385f820c15ceca755d3ed769b17ed82df80ea84d479c3cf9e1b1dffe
Malware Config
Extracted
bandook
iamgood.blogdns.net
Signatures
-
Bandook payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\bbc\bbc.exe family_bandook -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\bbc = "C:\\Users\\Admin\\AppData\\Local\\bbc\\bbc.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\bbc = "C:\\Users\\Admin\\AppData\\Local\\bbc\\bbc.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
13140000.exedescription pid process target process PID 1920 wrote to memory of 1232 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1232 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1232 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1232 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1232 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1036 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1036 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1036 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1036 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1036 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1788 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1788 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1788 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1788 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 1788 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 968 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 968 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 968 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 968 1920 13140000.exe iexplore.exe PID 1920 wrote to memory of 968 1920 13140000.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13140000.exe"C:\Users\Admin\AppData\Local\Temp\13140000.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:1232
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Adds Run key to start application
PID:1036 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:1788
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Adds Run key to start application
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\bbc\bbc.exeFilesize
10.3MB
MD580b58f43feb6e5b04250961c86e9e891
SHA1bcd22b9e345da4d845b61c20aa429d713a307354
SHA2560a4e59d0906316f0476dd5463ae6b93bb4a98211ff119f267b7320f13960bd47
SHA5128536f888d70638ef5ae94b8d8e7e78b5a0c92a122d9a13563a4467602283f0d17f777acc385f820c15ceca755d3ed769b17ed82df80ea84d479c3cf9e1b1dffe
-
memory/1920-54-0x0000000075F61000-0x0000000075F63000-memory.dmpFilesize
8KB