Analysis
-
max time kernel
140s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 16:35
Static task
static1
Behavioral task
behavioral1
Sample
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
Resource
win10v2004-20220721-en
General
-
Target
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe
-
Size
2.5MB
-
MD5
60603c03611bec2d605fd134af541c41
-
SHA1
97ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
-
SHA256
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
-
SHA512
793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bnkpostale.exepid process 4068 bnkpostale.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
bnkpostale.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bnkpostale = "\"C:\\Users\\Admin\\AppData\\Roaming\\bnkpostale\\bnkpostale.exe\"" bnkpostale.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4400 schtasks.exe 4048 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exepid process 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe 4068 bnkpostale.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exedescription pid process Token: 33 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: SeIncBasePriorityPrivilege 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: SeDebugPrivilege 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe Token: 33 4068 bnkpostale.exe Token: SeIncBasePriorityPrivilege 4068 bnkpostale.exe Token: SeDebugPrivilege 4068 bnkpostale.exe Token: 33 4068 bnkpostale.exe Token: SeIncBasePriorityPrivilege 4068 bnkpostale.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bnkpostale.exepid process 4068 bnkpostale.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exebnkpostale.exedescription pid process target process PID 688 wrote to memory of 4048 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 688 wrote to memory of 4048 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 688 wrote to memory of 4048 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe schtasks.exe PID 688 wrote to memory of 4068 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 688 wrote to memory of 4068 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 688 wrote to memory of 4068 688 5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe bnkpostale.exe PID 4068 wrote to memory of 4400 4068 bnkpostale.exe schtasks.exe PID 4068 wrote to memory of 4400 4068 bnkpostale.exe schtasks.exe PID 4068 wrote to memory of 4400 4068 bnkpostale.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe"C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\5540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe"C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "bnkpostale" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exeFilesize
2.5MB
MD560603c03611bec2d605fd134af541c41
SHA197ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA2565540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
-
C:\Users\Admin\AppData\Roaming\bnkpostale\bnkpostale.exeFilesize
2.5MB
MD560603c03611bec2d605fd134af541c41
SHA197ea9b13dc1f7ee2b9ad231571ec4cfa6e2186fb
SHA2565540ebd0c042474a8831fa85f22af31bf269a7c5293b3b17a673a1c9f5de78a5
SHA512793d8e0f5fb692236ef2678eb7a6e5e8e7af588a82238ba89ab3b1eaf588372dd31c16946ffd3be30c03bea0aee580bfb07333bcd8a2d464a52e15a319b435ed
-
memory/688-130-0x0000000005270000-0x0000000005302000-memory.dmpFilesize
584KB
-
memory/688-131-0x0000000007CF0000-0x0000000008294000-memory.dmpFilesize
5.6MB
-
memory/688-132-0x0000000004B30000-0x0000000004B96000-memory.dmpFilesize
408KB
-
memory/688-133-0x0000000005E90000-0x0000000005EA2000-memory.dmpFilesize
72KB
-
memory/688-134-0x00000000062A0000-0x00000000062DC000-memory.dmpFilesize
240KB
-
memory/4048-135-0x0000000000000000-mapping.dmp
-
memory/4068-136-0x0000000000000000-mapping.dmp
-
memory/4068-140-0x0000000006570000-0x000000000657A000-memory.dmpFilesize
40KB
-
memory/4400-139-0x0000000000000000-mapping.dmp