Analysis
-
max time kernel
253s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-09-2022 13:56
Static task
static1
Behavioral task
behavioral1
Sample
PAGOS CANCELADOS_27D.exe
Resource
win7-20220901-en
5 signatures
300 seconds
Behavioral task
behavioral2
Sample
PAGOS CANCELADOS_27D.exe
Resource
win10v2004-20220812-en
20 signatures
300 seconds
General
-
Target
PAGOS CANCELADOS_27D.exe
-
Size
3.6MB
-
MD5
135e03400f15e6058085d0f867d6d0ef
-
SHA1
2d1e0d30426d68fecb1bbc52321df8b4c0e4363d
-
SHA256
646d385c9b7168e97199fd0557a1c22ac0c0eca724e7684bf74a524466933693
-
SHA512
ba86e3b65848fe33d94d9daec17bbf7c1077a4abf36fceee36eff6ad65b72e4e69b1b8cab093afed589428793555357b716128afcfc2afa75a317db874f779fe
-
SSDEEP
49152:FbU6bMuLV01edOnZIPaKPm6Q7m4bjuBFnhHK4i/59Cfev3DeVN2oTIO4f:FbnbMZ
Malware Config
Signatures
-
Bandook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1584-62-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1584-61-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1584-63-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral1/memory/1584-58-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1584-60-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1584-62-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1584-61-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1584-63-0x0000000013140000-0x0000000014009000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msinfo32.exepid process 1584 msinfo32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
PAGOS CANCELADOS_27D.exedescription pid process target process PID 1128 wrote to memory of 1584 1128 PAGOS CANCELADOS_27D.exe msinfo32.exe PID 1128 wrote to memory of 1584 1128 PAGOS CANCELADOS_27D.exe msinfo32.exe PID 1128 wrote to memory of 1584 1128 PAGOS CANCELADOS_27D.exe msinfo32.exe PID 1128 wrote to memory of 1584 1128 PAGOS CANCELADOS_27D.exe msinfo32.exe PID 1128 wrote to memory of 1584 1128 PAGOS CANCELADOS_27D.exe msinfo32.exe PID 1128 wrote to memory of 1584 1128 PAGOS CANCELADOS_27D.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGOS CANCELADOS_27D.exe"C:\Users\Admin\AppData\Local\Temp\PAGOS CANCELADOS_27D.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1128-54-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB
-
memory/1584-55-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1584-57-0x0000000000000000-mapping.dmp
-
memory/1584-58-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1584-60-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1584-62-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1584-61-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1584-63-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB