Analysis
-
max time kernel
51s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Resource
win10v2004-20220721-en
General
-
Target
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
-
Size
2.5MB
-
MD5
60603c03611bec2d605fd134af541c41
-
SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
-
SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
-
SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bnkpostale.exepid process 760 bnkpostale.exe -
Loads dropped DLL 2 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exepid process 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe 760 bnkpostale.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\bnkpostale = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe\"" 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exepid process 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe 760 bnkpostale.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exedescription pid process Token: 33 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: SeIncBasePriorityPrivilege 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: SeDebugPrivilege 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: 33 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: SeIncBasePriorityPrivilege 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: 33 760 bnkpostale.exe Token: SeIncBasePriorityPrivilege 760 bnkpostale.exe Token: SeDebugPrivilege 760 bnkpostale.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bnkpostale.exepid process 760 bnkpostale.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exedescription pid process target process PID 992 wrote to memory of 1168 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 992 wrote to memory of 1168 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 992 wrote to memory of 1168 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 992 wrote to memory of 1168 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 992 wrote to memory of 760 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 992 wrote to memory of 760 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 992 wrote to memory of 760 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 992 wrote to memory of 760 992 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 760 wrote to memory of 276 760 bnkpostale.exe schtasks.exe PID 760 wrote to memory of 276 760 bnkpostale.exe schtasks.exe PID 760 wrote to memory of 276 760 bnkpostale.exe schtasks.exe PID 760 wrote to memory of 276 760 bnkpostale.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe"C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe"C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exeFilesize
2.5MB
MD560603c03611bec2d605fd134af541c41
SHA197ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA2565540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
-
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exeFilesize
2.5MB
MD560603c03611bec2d605fd134af541c41
SHA197ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA2565540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
-
\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exeFilesize
2.5MB
MD560603c03611bec2d605fd134af541c41
SHA197ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA2565540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
-
\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exeFilesize
2.5MB
MD560603c03611bec2d605fd134af541c41
SHA197ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA2565540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
-
memory/276-72-0x0000000000000000-mapping.dmp
-
memory/760-63-0x0000000000000000-mapping.dmp
-
memory/760-65-0x0000000000710000-0x0000000000850000-memory.dmpFilesize
1.2MB
-
memory/760-71-0x0000000004B9B000-0x0000000004BAC000-memory.dmpFilesize
68KB
-
memory/760-73-0x0000000004B9B000-0x0000000004BAC000-memory.dmpFilesize
68KB
-
memory/992-54-0x0000000004F90000-0x0000000005198000-memory.dmpFilesize
2.0MB
-
memory/992-61-0x0000000004B3B000-0x0000000004B4C000-memory.dmpFilesize
68KB
-
memory/992-59-0x0000000004B3B000-0x0000000004B4C000-memory.dmpFilesize
68KB
-
memory/992-55-0x0000000002000000-0x0000000002140000-memory.dmpFilesize
1.2MB
-
memory/1168-60-0x0000000000000000-mapping.dmp