Overview

overview

8

Static

static

133bff26cb...53.exe

windows7-x64

8

133bff26cb...53.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    89s
  • max time network
    206s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe

  • Size

    6.7MB

  • MD5

    91d9d139ce2d791b6686ae07128b51cb

  • SHA1

    46210009701509a198a58bc0a5fa3bcd05c53eb1

  • SHA256

    133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53

  • SHA512

    0488397ba99de52afbb80378589f7a0115006640b02ad7c9c26f73cdc30c72bf6d9f780b03d2a724d38a3a7ecb987d54ca1b4060f135cd61d6d3408d0a7a153f

  • SSDEEP

    196608:fKrCZ3PfOoei6B8v791ZftQzI+HfaQ37WmjUTFJ+:fZpGg791p6U+/aQ377jUTFM

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
    "C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1648
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
        3⤵
        • Views/modifies file attributes
        PID:756
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:464
      • C:\Windows\system32\reg.exe
        Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f
        3⤵
          PID:1496
        • C:\Windows\system32\reg.exe
          Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeZip" /t REG_DWORD /d "1" /f
          3⤵
            PID:656
          • C:\Windows\system32\reg.exe
            Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeRar" /t REG_DWORD /d "1" /f
            3⤵
              PID:1924
            • C:\Windows\system32\reg.exe
              Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNotice7z" /t REG_DWORD /d "1" /f
              3⤵
                PID:856
              • C:\Windows\system32\reg.exe
                Reg.exe add "HKCU\Software\Bandizip" /v "update" /t REG_DWORD /d "2" /f
                3⤵
                  PID:1820
                • C:\Windows\system32\reg.exe
                  Reg.exe add "HKCU\Software\Bandizip" /v "shell_ShowSubmenu" /t REG_DWORD /d "1" /f
                  3⤵
                    PID:1744
                  • C:\Windows\system32\reg.exe
                    Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_OpenArchive" /t REG_DWORD /d "1" /f
                    3⤵
                      PID:920
                    • C:\Windows\system32\reg.exe
                      Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_Preview" /t REG_DWORD /d "0" /f
                      3⤵
                        PID:896
                      • C:\Windows\system32\reg.exe
                        Reg.exe add "HKCU\Software\Bandizip" /v "shell_CreateNewFolder" /t REG_DWORD /d "0" /f
                        3⤵
                          PID:680
                        • C:\Windows\system32\reg.exe
                          Reg.exe add "HKCU\Software\Bandizip" /v "bDeleteOutfileWhenUserCancel" /t REG_DWORD /d "1" /f
                          3⤵
                            PID:1392
                          • C:\Windows\system32\reg.exe
                            Reg.exe add "HKCU\Software\Bandizip" /v "openFolderWhenComplete" /t REG_DWORD /d "1" /f
                            3⤵
                              PID:1552
                            • C:\Windows\system32\reg.exe
                              Reg.exe add "HKCU\Software\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f
                              3⤵
                                PID:1704
                              • C:\Windows\system32\reg.exe
                                Reg.exe add "HKCU\Software\Bandizip" /v "bShowStartScreen" /t REG_DWORD /d "0" /f
                                3⤵
                                  PID:1096
                                • C:\Windows\system32\reg.exe
                                  Reg.exe add "HKCU\Software\Bandizip" /v "bDispFullPathTitlebar" /t REG_DWORD /d "1" /f
                                  3⤵
                                    PID:1656
                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE
                                  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE"
                                  2⤵
                                  • Executes dropped EXE
                                  • Modifies system certificate store
                                  PID:1736

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Persistence

                              Hidden Files and Directories

                              1
                              T1158

                              Privilege Escalation

                              Defense Evasion

                              Install Root Certificate

                              1
                              T1130

                              Modify Registry

                              1
                              T1112

                              Hidden Files and Directories

                              1
                              T1158

                              Credential Access

                              Discovery

                              System Information Discovery

                              1
                              T1082

                              Lateral Movement

                              Collection

                              Exfiltration

                              Command and Control

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE
                                Filesize

                                6.8MB

                                MD5

                                7793ef9c18f44a5962cc877e7efa110c

                                SHA1

                                e3b05cd6c0477fa98e9d14221123c9e09fa5916f

                                SHA256

                                58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

                                SHA512

                                b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE
                                Filesize

                                6.8MB

                                MD5

                                7793ef9c18f44a5962cc877e7efa110c

                                SHA1

                                e3b05cd6c0477fa98e9d14221123c9e09fa5916f

                                SHA256

                                58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

                                SHA512

                                b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd
                                Filesize

                                1KB

                                MD5

                                95caa98042b01e1c4cf47901ca8ac786

                                SHA1

                                f041b629b11a65da3c1a3909c88f3e9f1e358f65

                                SHA256

                                0476e0d75664e305713767cad87e7b5f2580050c1b4d08799f050f5103728061

                                SHA512

                                96cfe1a060ad1d07f2250d6b792c4570a892e9e93a6162e058e22646a99171003eae38ffd2570cbba936b71f8d1953cd1e3eb93137109a805eb5c2126a6663ba

                                Download Submit
                              • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE
                                Filesize

                                6.8MB

                                MD5

                                7793ef9c18f44a5962cc877e7efa110c

                                SHA1

                                e3b05cd6c0477fa98e9d14221123c9e09fa5916f

                                SHA256

                                58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

                                SHA512

                                b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

                                Download Submit
                              • memory/464-58-0x0000000000000000-mapping.dmp
                                Download
                              • memory/656-61-0x0000000000000000-mapping.dmp
                                Download
                              • memory/680-68-0x0000000000000000-mapping.dmp
                                Download
                              • memory/756-57-0x0000000000000000-mapping.dmp
                                Download
                              • memory/856-63-0x0000000000000000-mapping.dmp
                                Download
                              • memory/896-67-0x0000000000000000-mapping.dmp
                                Download
                              • memory/920-66-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1096-72-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1216-54-0x0000000074F01000-0x0000000074F03000-memory.dmp
                                Filesize

                                8KB

                                Download
                              • memory/1216-55-0x0000000000400000-0x000000000043E000-memory.dmp
                                Filesize

                                248KB

                                Download
                              • memory/1216-74-0x0000000000400000-0x000000000043E000-memory.dmp
                                Filesize

                                248KB

                                Download
                              • memory/1392-69-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1496-60-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1552-70-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1648-56-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1656-73-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1704-71-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1736-76-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1744-65-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1820-64-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1924-62-0x0000000000000000-mapping.dmp
                                Download