Analysis
-
max time kernel
202s -
max time network
265s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 14:10
Static task
static1
Behavioral task
behavioral1
Sample
SOLICITUD DE COTIZACION_20D5.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
SOLICITUD DE COTIZACION_20D5.exe
-
Size
1.8MB
-
MD5
732717fb963205cdf2d23f4a177fcfcb
-
SHA1
f7bf9ce224c48c33208f896b1bc7b8b90f3accd1
-
SHA256
051495d208bad010334f14c162600b66c7ef437ae3f6bd037e39bbfc4ccdb415
-
SHA512
3761cbb98c804fd7194896249eb3545281dbc410f7a3e129be9dc5f29d2dd9f6bb730449c373b6179f363cbac45b40e500cb989762a31380b8fce57b5942cd6f
Malware Config
Signatures
-
Bandook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3732-133-0x0000000013140000-0x0000000013C75000-memory.dmp family_bandook behavioral2/memory/3732-134-0x0000000013140000-0x0000000013C75000-memory.dmp family_bandook behavioral2/memory/3732-135-0x0000000013140000-0x0000000013C75000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral2/memory/3732-131-0x0000000013140000-0x0000000013C75000-memory.dmp upx behavioral2/memory/3732-132-0x0000000013140000-0x0000000013C75000-memory.dmp upx behavioral2/memory/3732-133-0x0000000013140000-0x0000000013C75000-memory.dmp upx behavioral2/memory/3732-134-0x0000000013140000-0x0000000013C75000-memory.dmp upx behavioral2/memory/3732-135-0x0000000013140000-0x0000000013C75000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msinfo32.exepid process 3732 msinfo32.exe 3732 msinfo32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
SOLICITUD DE COTIZACION_20D5.exedescription pid process target process PID 2548 wrote to memory of 3732 2548 SOLICITUD DE COTIZACION_20D5.exe msinfo32.exe PID 2548 wrote to memory of 3732 2548 SOLICITUD DE COTIZACION_20D5.exe msinfo32.exe PID 2548 wrote to memory of 3732 2548 SOLICITUD DE COTIZACION_20D5.exe msinfo32.exe PID 2548 wrote to memory of 3732 2548 SOLICITUD DE COTIZACION_20D5.exe msinfo32.exe PID 2548 wrote to memory of 3732 2548 SOLICITUD DE COTIZACION_20D5.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACION_20D5.exe"C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE COTIZACION_20D5.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3732
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3732-130-0x0000000000000000-mapping.dmp
-
memory/3732-131-0x0000000013140000-0x0000000013C75000-memory.dmpFilesize
11.2MB
-
memory/3732-132-0x0000000013140000-0x0000000013C75000-memory.dmpFilesize
11.2MB
-
memory/3732-133-0x0000000013140000-0x0000000013C75000-memory.dmpFilesize
11.2MB
-
memory/3732-134-0x0000000013140000-0x0000000013C75000-memory.dmpFilesize
11.2MB
-
memory/3732-135-0x0000000013140000-0x0000000013C75000-memory.dmpFilesize
11.2MB