Analysis
-
max time kernel
299s -
max time network
280s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 19:36
Static task
static1
Behavioral task
behavioral1
Sample
13140000.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
13140000.exe
Resource
win10v2004-20220414-en
General
-
Target
13140000.exe
-
Size
10.3MB
-
MD5
80b58f43feb6e5b04250961c86e9e891
-
SHA1
bcd22b9e345da4d845b61c20aa429d713a307354
-
SHA256
0a4e59d0906316f0476dd5463ae6b93bb4a98211ff119f267b7320f13960bd47
-
SHA512
8536f888d70638ef5ae94b8d8e7e78b5a0c92a122d9a13563a4467602283f0d17f777acc385f820c15ceca755d3ed769b17ed82df80ea84d479c3cf9e1b1dffe
Malware Config
Extracted
bandook
iamgood.blogdns.net
Signatures
-
Bandook payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\bbc\bbc.exe family_bandook -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exeiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbc = "C:\\Users\\Admin\\AppData\\Local\\bbc\\bbc.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbc = "C:\\Users\\Admin\\AppData\\Local\\bbc\\bbc.exe" iexplore.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
13140000.exedescription pid process target process PID 2408 wrote to memory of 3100 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 3100 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 3100 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 3100 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 2228 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 2228 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 2228 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 2228 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 4504 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 4504 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 4504 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 4504 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 876 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 876 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 876 2408 13140000.exe iexplore.exe PID 2408 wrote to memory of 876 2408 13140000.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13140000.exe"C:\Users\Admin\AppData\Local\Temp\13140000.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:3100
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Adds Run key to start application
PID:2228 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵PID:4504
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"2⤵
- Adds Run key to start application
PID:876
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\bbc\bbc.exeFilesize
10.3MB
MD580b58f43feb6e5b04250961c86e9e891
SHA1bcd22b9e345da4d845b61c20aa429d713a307354
SHA2560a4e59d0906316f0476dd5463ae6b93bb4a98211ff119f267b7320f13960bd47
SHA5128536f888d70638ef5ae94b8d8e7e78b5a0c92a122d9a13563a4467602283f0d17f777acc385f820c15ceca755d3ed769b17ed82df80ea84d479c3cf9e1b1dffe