Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 13:31
Static task
static1
Behavioral task
behavioral1
Sample
bbc.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
bbc.exe
-
Size
977KB
-
MD5
f000ca9522aafa0c54b863528228a43b
-
SHA1
c636e88b9e8079ba086f5cdb132fa39e747d0f23
-
SHA256
4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3
-
SHA512
ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d
Malware Config
Extracted
Family
bandook
C2
iamgood.blogdns.net
Signatures
-
Bandook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4440-131-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral2/memory/4440-133-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral2/memory/4440-134-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bbc.exedescription pid process target process PID 3156 set thread context of 4440 3156 bbc.exe bbc.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
bbc.exebbc.exedescription pid process target process PID 3156 wrote to memory of 4440 3156 bbc.exe bbc.exe PID 3156 wrote to memory of 4440 3156 bbc.exe bbc.exe PID 3156 wrote to memory of 4440 3156 bbc.exe bbc.exe PID 3156 wrote to memory of 4440 3156 bbc.exe bbc.exe PID 3156 wrote to memory of 4440 3156 bbc.exe bbc.exe PID 4440 wrote to memory of 4280 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 4280 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 4280 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 4280 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 3152 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 3152 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 3152 4440 bbc.exe iexplore.exe PID 4440 wrote to memory of 3152 4440 bbc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbc.exe"C:\Users\Admin\AppData\Local\Temp\bbc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\bbc.exe"C:\Users\Admin\AppData\Local\Temp\bbc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:4280
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:3152
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4440-130-0x0000000000000000-mapping.dmp
-
memory/4440-131-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB
-
memory/4440-133-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB
-
memory/4440-134-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB