Analysis
-
max time kernel
429s -
max time network
559s -
platform
windows7_x64 -
resource
win7-20220715-en -
submitted
20-07-2022 16:59
Static task
static1
Behavioral task
behavioral1
Sample
C36897E9150F3FCDBA12C6076726A645.exe
Resource
win7-20220715-en
windows7-x64
6 signatures
600 seconds
Behavioral task
behavioral2
Sample
C36897E9150F3FCDBA12C6076726A645.exe
Resource
win10v2004-20220414-en
windows10-2004-x64
6 signatures
600 seconds
General
-
Target
C36897E9150F3FCDBA12C6076726A645.exe
-
Size
1.4MB
-
MD5
c36897e9150f3fcdba12c6076726a645
-
SHA1
dbd4dbfe4dabf06535353454ad1d9596f97de8b9
-
SHA256
b079f2c81638d23c59c0c04c9e2b6caf02e8bac37746d1cded77b4638bd025be
-
SHA512
0c7dde683eec79fac2e50cd33e7eb47f26e313d4dd4ebec04c79cb0a01ae15ce3cc25972f61ef187b19fe69dd8f9f903db623f1c58b739b9e036fc6ff4478078
Score
10/10
Malware Config
Extracted
Family
bandook
C2
deapproved.ru
Signatures
-
Bandook payload 4 IoCs
resource yara_rule behavioral1/memory/848-61-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/848-62-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/1824-70-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook behavioral1/memory/1824-71-0x0000000013140000-0x0000000013C7D000-memory.dmp family_bandook -
resource yara_rule behavioral1/memory/848-58-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/848-60-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/848-61-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/848-62-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/1824-70-0x0000000013140000-0x0000000013C7D000-memory.dmp upx behavioral1/memory/1824-71-0x0000000013140000-0x0000000013C7D000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run msinfo32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\GGES = "C:\\Users\\Admin\\AppData\\Roaming\\GGES\\GGES.exe" msinfo32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 848 msinfo32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1752 wrote to memory of 848 1752 C36897E9150F3FCDBA12C6076726A645.exe 27 PID 1752 wrote to memory of 848 1752 C36897E9150F3FCDBA12C6076726A645.exe 27 PID 1752 wrote to memory of 848 1752 C36897E9150F3FCDBA12C6076726A645.exe 27 PID 1752 wrote to memory of 848 1752 C36897E9150F3FCDBA12C6076726A645.exe 27 PID 1752 wrote to memory of 848 1752 C36897E9150F3FCDBA12C6076726A645.exe 27 PID 1752 wrote to memory of 848 1752 C36897E9150F3FCDBA12C6076726A645.exe 27 PID 1752 wrote to memory of 1824 1752 C36897E9150F3FCDBA12C6076726A645.exe 28 PID 1752 wrote to memory of 1824 1752 C36897E9150F3FCDBA12C6076726A645.exe 28 PID 1752 wrote to memory of 1824 1752 C36897E9150F3FCDBA12C6076726A645.exe 28 PID 1752 wrote to memory of 1824 1752 C36897E9150F3FCDBA12C6076726A645.exe 28 PID 1752 wrote to memory of 1824 1752 C36897E9150F3FCDBA12C6076726A645.exe 28 PID 1752 wrote to memory of 1824 1752 C36897E9150F3FCDBA12C6076726A645.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\C36897E9150F3FCDBA12C6076726A645.exe"C:\Users\Admin\AppData\Local\Temp\C36897E9150F3FCDBA12C6076726A645.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:848
-
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Adds Run key to start application
PID:1824
-