Analysis

  • max time kernel
    182s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:37

General

  • Target

    133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe

  • Size

    6.7MB

  • MD5

    91d9d139ce2d791b6686ae07128b51cb

  • SHA1

    46210009701509a198a58bc0a5fa3bcd05c53eb1

  • SHA256

    133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53

  • SHA512

    0488397ba99de52afbb80378589f7a0115006640b02ad7c9c26f73cdc30c72bf6d9f780b03d2a724d38a3a7ecb987d54ca1b4060f135cd61d6d3408d0a7a153f

  • SSDEEP

    196608:fKrCZ3PfOoei6B8v791ZftQzI+HfaQ37WmjUTFJ+:fZpGg791p6U+/aQ377jUTFM

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 37 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
    "C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
        3⤵
        • Views/modifies file attributes
        PID:1956
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\system32\reg.exe
        Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f
        3⤵
          PID:2028
        • C:\Windows\system32\reg.exe
          Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeZip" /t REG_DWORD /d "1" /f
          3⤵
            PID:5052
          • C:\Windows\system32\reg.exe
            Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeRar" /t REG_DWORD /d "1" /f
            3⤵
              PID:4960
            • C:\Windows\system32\reg.exe
              Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNotice7z" /t REG_DWORD /d "1" /f
              3⤵
                PID:772
              • C:\Windows\system32\reg.exe
                Reg.exe add "HKCU\Software\Bandizip" /v "update" /t REG_DWORD /d "2" /f
                3⤵
                  PID:2520
                • C:\Windows\system32\reg.exe
                  Reg.exe add "HKCU\Software\Bandizip" /v "shell_ShowSubmenu" /t REG_DWORD /d "1" /f
                  3⤵
                    PID:4084
                  • C:\Windows\system32\reg.exe
                    Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_OpenArchive" /t REG_DWORD /d "1" /f
                    3⤵
                      PID:1960
                    • C:\Windows\system32\reg.exe
                      Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_Preview" /t REG_DWORD /d "0" /f
                      3⤵
                        PID:4948
                      • C:\Windows\system32\reg.exe
                        Reg.exe add "HKCU\Software\Bandizip" /v "shell_CreateNewFolder" /t REG_DWORD /d "0" /f
                        3⤵
                          PID:5116
                        • C:\Windows\system32\reg.exe
                          Reg.exe add "HKCU\Software\Bandizip" /v "bDeleteOutfileWhenUserCancel" /t REG_DWORD /d "1" /f
                          3⤵
                            PID:4540
                          • C:\Windows\system32\reg.exe
                            Reg.exe add "HKCU\Software\Bandizip" /v "openFolderWhenComplete" /t REG_DWORD /d "1" /f
                            3⤵
                              PID:3920
                            • C:\Windows\system32\reg.exe
                              Reg.exe add "HKCU\Software\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f
                              3⤵
                                PID:1804
                              • C:\Windows\system32\reg.exe
                                Reg.exe add "HKCU\Software\Bandizip" /v "bShowStartScreen" /t REG_DWORD /d "0" /f
                                3⤵
                                  PID:1236
                                • C:\Windows\system32\reg.exe
                                  Reg.exe add "HKCU\Software\Bandizip" /v "bDispFullPathTitlebar" /t REG_DWORD /d "1" /f
                                  3⤵
                                    PID:1820
                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE
                                  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE"
                                  2⤵
                                  • Executes dropped EXE
                                  PID:2604

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE

                                Filesize

                                6.8MB

                                MD5

                                7793ef9c18f44a5962cc877e7efa110c

                                SHA1

                                e3b05cd6c0477fa98e9d14221123c9e09fa5916f

                                SHA256

                                58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

                                SHA512

                                b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE

                                Filesize

                                6.8MB

                                MD5

                                7793ef9c18f44a5962cc877e7efa110c

                                SHA1

                                e3b05cd6c0477fa98e9d14221123c9e09fa5916f

                                SHA256

                                58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

                                SHA512

                                b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd

                                Filesize

                                1KB

                                MD5

                                95caa98042b01e1c4cf47901ca8ac786

                                SHA1

                                f041b629b11a65da3c1a3909c88f3e9f1e358f65

                                SHA256

                                0476e0d75664e305713767cad87e7b5f2580050c1b4d08799f050f5103728061

                                SHA512

                                96cfe1a060ad1d07f2250d6b792c4570a892e9e93a6162e058e22646a99171003eae38ffd2570cbba936b71f8d1953cd1e3eb93137109a805eb5c2126a6663ba

                              • memory/564-133-0x0000000000000000-mapping.dmp

                              • memory/772-140-0x0000000000000000-mapping.dmp

                              • memory/1236-149-0x0000000000000000-mapping.dmp

                              • memory/1804-148-0x0000000000000000-mapping.dmp

                              • memory/1820-150-0x0000000000000000-mapping.dmp

                              • memory/1956-134-0x0000000000000000-mapping.dmp

                              • memory/1960-143-0x0000000000000000-mapping.dmp

                              • memory/2028-137-0x0000000000000000-mapping.dmp

                              • memory/2044-135-0x0000000000000000-mapping.dmp

                              • memory/2520-141-0x0000000000000000-mapping.dmp

                              • memory/2604-151-0x0000000000000000-mapping.dmp

                              • memory/3660-154-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3660-132-0x0000000000400000-0x000000000043E000-memory.dmp

                                Filesize

                                248KB

                              • memory/3920-147-0x0000000000000000-mapping.dmp

                              • memory/4084-142-0x0000000000000000-mapping.dmp

                              • memory/4540-146-0x0000000000000000-mapping.dmp

                              • memory/4948-144-0x0000000000000000-mapping.dmp

                              • memory/4960-139-0x0000000000000000-mapping.dmp

                              • memory/5052-138-0x0000000000000000-mapping.dmp

                              • memory/5116-145-0x0000000000000000-mapping.dmp