Analysis
-
max time kernel
1602s -
max time network
1783s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
21-09-2022 21:48
Static task
static1
Behavioral task
behavioral1
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/msvfw32 - copia (6).dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/msvfw32 - copia (6).dll
Resource
win10v2004-20220901-en
General
-
Target
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
-
Size
3.0MB
-
MD5
a986715bc03da3613fa1e63e3a2a38f6
-
SHA1
75c1c48a018cc8c63f154da2d81f4949beb30bb3
-
SHA256
83c24c9bca7a2e2ca9b00bfd5b2b04c464d90ba24d23f0d708ba56578ca8e3b7
-
SHA512
161f2c91ee9ddb203904b94a7087c4e1193ded81cee77fa09e66fe6b1ee3beca188b214efb53ffb6a62f51e8cf452b185ef35169ea6a8335b94c6bf28a90a6ad
-
SSDEEP
49152:BUUcMvybmbLj+JrHJk3OVcRDjHrCTny8ciBMsRl1djm:BF
Malware Config
Signatures
-
Bandook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1804-61-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1804-62-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1228-70-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1228-71-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral1/memory/1804-58-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1804-60-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1804-61-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1804-62-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1228-70-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1228-71-0x0000000013140000-0x0000000014009000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msinfo32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run msinfo32.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\KCXI = "C:\\Users\\Admin\\AppData\\Roaming\\KCXI\\KCXI.exe" msinfo32.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msinfo32.exepid process 1804 msinfo32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
PAGO AL INSTANTE LBTR 21-09-2022_B.exedescription pid process target process PID 1476 wrote to memory of 1804 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1804 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1804 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1804 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1804 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1804 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1228 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1228 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1228 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1228 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1228 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 1476 wrote to memory of 1228 1476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO AL INSTANTE LBTR 21-09-2022_B(1)\PAGO AL INSTANTE LBTR 21-09-2022_B.exe"C:\Users\Admin\AppData\Local\Temp\PAGO AL INSTANTE LBTR 21-09-2022_B(1)\PAGO AL INSTANTE LBTR 21-09-2022_B.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-65-0x0000000000000000-mapping.dmp
-
memory/1228-70-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1228-71-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1476-54-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1804-55-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1804-57-0x0000000000000000-mapping.dmp
-
memory/1804-58-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1804-60-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1804-61-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1804-62-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB