Analysis
-
max time kernel
154s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 13:33
Static task
static1
Behavioral task
behavioral1
Sample
bbc.exe
Resource
win10v2004-20220414-en
General
-
Target
bbc.exe
-
Size
977KB
-
MD5
f000ca9522aafa0c54b863528228a43b
-
SHA1
c636e88b9e8079ba086f5cdb132fa39e747d0f23
-
SHA256
4f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3
-
SHA512
ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d
Malware Config
Extracted
bandook
iamgood.blogdns.net
Signatures
-
Bandook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/4228-131-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral1/memory/4228-133-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral1/memory/4228-134-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral1/memory/4228-135-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbc = "C:\\Users\\Admin\\AppData\\Local\\bbc\\bbc.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bbc = "C:\\Users\\Admin\\AppData\\Local\\bbc\\bbc.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bbc.exedescription pid process target process PID 320 set thread context of 4228 320 bbc.exe bbc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
bbc.exebbc.exedescription pid process target process PID 320 wrote to memory of 4228 320 bbc.exe bbc.exe PID 320 wrote to memory of 4228 320 bbc.exe bbc.exe PID 320 wrote to memory of 4228 320 bbc.exe bbc.exe PID 320 wrote to memory of 4228 320 bbc.exe bbc.exe PID 320 wrote to memory of 4228 320 bbc.exe bbc.exe PID 4228 wrote to memory of 1460 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 1460 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 1460 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 1460 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 4368 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 4368 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 4368 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 4368 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 2052 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 2052 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 2052 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 2052 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 652 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 652 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 652 4228 bbc.exe iexplore.exe PID 4228 wrote to memory of 652 4228 bbc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbc.exe"C:\Users\Admin\AppData\Local\Temp\bbc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Users\Admin\AppData\Local\Temp\bbc.exe"C:\Users\Admin\AppData\Local\Temp\bbc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:1460
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
PID:4368 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2052
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
PID:652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\bbc\bbc.exeFilesize
977KB
MD5f000ca9522aafa0c54b863528228a43b
SHA1c636e88b9e8079ba086f5cdb132fa39e747d0f23
SHA2564f1923485e8cdd052467d335a6384f93cd1d50b5d927aea471e56290be29ffa3
SHA512ccbb478d676a3c6f1355ab30933196c5bf41b64b613e8efe661546c238700ce2aec340390af9069c303a43bc7c4f41400c418920041cf4967c6e02b272ef372d
-
memory/4228-130-0x0000000000000000-mapping.dmp
-
memory/4228-131-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB
-
memory/4228-133-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB
-
memory/4228-134-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB
-
memory/4228-135-0x0000000013140000-0x0000000013B93000-memory.dmpFilesize
10.3MB