Overview

overview

10

Static

static

SOLICITUD ...D5.exe

windows7_x64

10

SOLICITUD ...D5.exe

windows10-2004_x64

10

Resubmissions

27-06-2022 14:10

220627-rg151sbggr 10

27-06-2022 14:08

220627-rfr6qabggl 1

Analysis

  • max time kernel
    301s
  • max time network
    266s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    27-06-2022 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOLICITUD DE COTIZACION_20D5.exe

  • Size

    1.8MB

  • MD5

    732717fb963205cdf2d23f4a177fcfcb

  • SHA1

    f7bf9ce224c48c33208f896b1bc7b8b90f3accd1

  • SHA256

    051495d208bad010334f14c162600b66c7ef437ae3f6bd037e39bbfc4ccdb415

  • SHA512

    3761cbb98c804fd7194896249eb3545281dbc410f7a3e129be9dc5f29d2dd9f6bb730449c373b6179f363cbac45b40e500cb989762a31380b8fce57b5942cd6f

Score
10/10
bandookrattrojanupx

Malware Config

Signatures

  • Bandook Payload 2 IoCs
  • Bandook RAT

    Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    rattrojanbandook
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACION_20D5.exe
    "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACION_20D5.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\windows\syswow64\msinfo32.exe
      C:\windows\syswow64\msinfo32.exe
      2⤵
        PID:972
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1788

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/780-54-0x0000000074E91000-0x0000000074E93000-memory.dmp
      Filesize

      8KB

      Download
    • memory/972-58-0x0000000013140000-0x0000000013C75000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/972-60-0x0000000000000000-mapping.dmp
      Download
    • memory/972-61-0x0000000013140000-0x0000000013C75000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/972-63-0x0000000013140000-0x0000000013C75000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/972-64-0x0000000013140000-0x0000000013C75000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/972-65-0x0000000013140000-0x0000000013C75000-memory.dmp
      Filesize

      11.2MB

      Download
    • memory/1788-55-0x000007FEFBA91000-0x000007FEFBA93000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1788-56-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download
    • memory/1788-57-0x0000000140000000-0x00000001405E8000-memory.dmp
      Filesize

      5.9MB

      Download