Analysis
-
max time kernel
232s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2022 06:57
Static task
static1
Behavioral task
behavioral1
Sample
ORDEN DE COMPRAS_26J.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
300 seconds
General
-
Target
ORDEN DE COMPRAS_26J.exe
-
Size
3.6MB
-
MD5
38fae3855997c9a49e658fa69fc1819f
-
SHA1
9ea93e76929980b71503e368dd4925d7f5f0e01e
-
SHA256
3405f9cd439a15d0192d0d5d57a0ddb8727c78b1d3543568a582b1db45b35aae
-
SHA512
bd4e7ee1b54bf58bbafeb51c87916a28b1d965c1fb8790934bdd2160bf63107d879c256f0565dc647f33679ff241ad7b72b4e0e9c362e06db53ed44b4657835f
-
SSDEEP
49152:ZbU6bxhLt0sQfnKffkWuBo5QS87U96+exkPQ5NTZ0vVYkh6:Zbnbx6N/
Malware Config
Signatures
-
Bandook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-135-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral2/memory/1340-136-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral2/memory/1340-137-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral2/memory/1340-133-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/1340-134-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/1340-135-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/1340-136-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral2/memory/1340-137-0x0000000013140000-0x0000000014009000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msinfo32.exepid process 1340 msinfo32.exe 1340 msinfo32.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
ORDEN DE COMPRAS_26J.exedescription pid process target process PID 1100 wrote to memory of 1340 1100 ORDEN DE COMPRAS_26J.exe msinfo32.exe PID 1100 wrote to memory of 1340 1100 ORDEN DE COMPRAS_26J.exe msinfo32.exe PID 1100 wrote to memory of 1340 1100 ORDEN DE COMPRAS_26J.exe msinfo32.exe PID 1100 wrote to memory of 1340 1100 ORDEN DE COMPRAS_26J.exe msinfo32.exe PID 1100 wrote to memory of 1340 1100 ORDEN DE COMPRAS_26J.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRAS_26J.exe"C:\Users\Admin\AppData\Local\Temp\ORDEN DE COMPRAS_26J.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\SysWOW64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1340-132-0x0000000000000000-mapping.dmp
-
memory/1340-133-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1340-134-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1340-135-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1340-136-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1340-137-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB