Analysis
-
max time kernel
1614s -
max time network
1783s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2022 21:48
Static task
static1
Behavioral task
behavioral1
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/msvfw32 - copia (6).dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/msvfw32 - copia (6).dll
Resource
win10v2004-20220901-en
General
-
Target
PAGO AL INSTANTE LBTR 21-09-2022_B(1)/PAGO AL INSTANTE LBTR 21-09-2022_B.exe
-
Size
3.0MB
-
MD5
a986715bc03da3613fa1e63e3a2a38f6
-
SHA1
75c1c48a018cc8c63f154da2d81f4949beb30bb3
-
SHA256
83c24c9bca7a2e2ca9b00bfd5b2b04c464d90ba24d23f0d708ba56578ca8e3b7
-
SHA512
161f2c91ee9ddb203904b94a7087c4e1193ded81cee77fa09e66fe6b1ee3beca188b214efb53ffb6a62f51e8cf452b185ef35169ea6a8335b94c6bf28a90a6ad
-
SSDEEP
49152:BUUcMvybmbLj+JrHJk3OVcRDjHrCTny8ciBMsRl1djm:BF
Malware Config
Signatures
-
Bandook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/3032-135-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral2/memory/3032-136-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral2/memory/3032-137-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral2/memory/1320-142-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral2/memory/3032-133-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/3032-134-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/3032-135-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/3032-136-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/3032-137-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/1320-142-0x0000000013140000-0x0000000014009000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msinfo32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KCXI = "C:\\Users\\Admin\\AppData\\Roaming\\KCXI\\KCXI.exe" msinfo32.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msinfo32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msinfo32.exepid process 3032 msinfo32.exe 3032 msinfo32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PAGO AL INSTANTE LBTR 21-09-2022_B.exedescription pid process target process PID 2476 wrote to memory of 3032 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 3032 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 3032 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 3032 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 3032 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 1320 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 1320 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 1320 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 1320 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe PID 2476 wrote to memory of 1320 2476 PAGO AL INSTANTE LBTR 21-09-2022_B.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO AL INSTANTE LBTR 21-09-2022_B(1)\PAGO AL INSTANTE LBTR 21-09-2022_B.exe"C:\Users\Admin\AppData\Local\Temp\PAGO AL INSTANTE LBTR 21-09-2022_B(1)\PAGO AL INSTANTE LBTR 21-09-2022_B.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1320-138-0x0000000000000000-mapping.dmp
-
memory/1320-142-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/3032-132-0x0000000000000000-mapping.dmp
-
memory/3032-133-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/3032-134-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/3032-135-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/3032-136-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/3032-137-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB