Analysis
-
max time kernel
244s -
max time network
274s -
platform
windows7_x64 -
resource
win7-20220812-es -
resource tags
arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows -
submitted
21-09-2022 15:53
Static task
static1
Behavioral task
behavioral1
Sample
TIKET DE ACUSE DE PAGO 21-09-2022_B.exe
Resource
win7-20220812-es
Behavioral task
behavioral2
Sample
TIKET DE ACUSE DE PAGO 21-09-2022_B.exe
Resource
win10v2004-20220812-es
Behavioral task
behavioral3
Sample
msvfw32 - copia (4).dll
Resource
win7-20220901-es
Behavioral task
behavioral4
Sample
msvfw32 - copia (4).dll
Resource
win10v2004-20220812-es
General
-
Target
TIKET DE ACUSE DE PAGO 21-09-2022_B.exe
-
Size
3.0MB
-
MD5
a986715bc03da3613fa1e63e3a2a38f6
-
SHA1
75c1c48a018cc8c63f154da2d81f4949beb30bb3
-
SHA256
83c24c9bca7a2e2ca9b00bfd5b2b04c464d90ba24d23f0d708ba56578ca8e3b7
-
SHA512
161f2c91ee9ddb203904b94a7087c4e1193ded81cee77fa09e66fe6b1ee3beca188b214efb53ffb6a62f51e8cf452b185ef35169ea6a8335b94c6bf28a90a6ad
-
SSDEEP
49152:BUUcMvybmbLj+JrHJk3OVcRDjHrCTny8ciBMsRl1djm:BF
Malware Config
Signatures
-
Bandook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/836-61-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/836-62-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral1/memory/836-58-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/836-60-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/836-61-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/836-62-0x0000000013140000-0x0000000014009000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msinfo32.exepid process 836 msinfo32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
TIKET DE ACUSE DE PAGO 21-09-2022_B.exedescription pid process target process PID 600 wrote to memory of 836 600 TIKET DE ACUSE DE PAGO 21-09-2022_B.exe msinfo32.exe PID 600 wrote to memory of 836 600 TIKET DE ACUSE DE PAGO 21-09-2022_B.exe msinfo32.exe PID 600 wrote to memory of 836 600 TIKET DE ACUSE DE PAGO 21-09-2022_B.exe msinfo32.exe PID 600 wrote to memory of 836 600 TIKET DE ACUSE DE PAGO 21-09-2022_B.exe msinfo32.exe PID 600 wrote to memory of 836 600 TIKET DE ACUSE DE PAGO 21-09-2022_B.exe msinfo32.exe PID 600 wrote to memory of 836 600 TIKET DE ACUSE DE PAGO 21-09-2022_B.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TIKET DE ACUSE DE PAGO 21-09-2022_B.exe"C:\Users\Admin\AppData\Local\Temp\TIKET DE ACUSE DE PAGO 21-09-2022_B.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/600-54-0x0000000075E01000-0x0000000075E03000-memory.dmpFilesize
8KB
-
memory/836-55-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/836-57-0x0000000000000000-mapping.dmp
-
memory/836-58-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/836-60-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/836-61-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/836-62-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB