Analysis
-
max time kernel
182s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:37
Static task
static1
Behavioral task
behavioral1
Sample
133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
Resource
win10v2004-20221111-en
General
-
Target
133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
-
Size
6.7MB
-
MD5
91d9d139ce2d791b6686ae07128b51cb
-
SHA1
46210009701509a198a58bc0a5fa3bcd05c53eb1
-
SHA256
133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53
-
SHA512
0488397ba99de52afbb80378589f7a0115006640b02ad7c9c26f73cdc30c72bf6d9f780b03d2a724d38a3a7ecb987d54ca1b4060f135cd61d6d3408d0a7a153f
-
SSDEEP
196608:fKrCZ3PfOoei6B8v791ZftQzI+HfaQ37WmjUTFJ+:fZpGg791p6U+/aQ377jUTFM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
BANDIZIP-SETUP-STD-X64.EXEpid process 2604 BANDIZIP-SETUP-STD-X64.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.execmd.execmd.exedescription pid process target process PID 3660 wrote to memory of 564 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe cmd.exe PID 3660 wrote to memory of 564 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe cmd.exe PID 564 wrote to memory of 1956 564 cmd.exe attrib.exe PID 564 wrote to memory of 1956 564 cmd.exe attrib.exe PID 3660 wrote to memory of 2044 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe cmd.exe PID 3660 wrote to memory of 2044 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe cmd.exe PID 2044 wrote to memory of 2028 2044 cmd.exe reg.exe PID 2044 wrote to memory of 2028 2044 cmd.exe reg.exe PID 2044 wrote to memory of 5052 2044 cmd.exe reg.exe PID 2044 wrote to memory of 5052 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4960 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4960 2044 cmd.exe reg.exe PID 2044 wrote to memory of 772 2044 cmd.exe reg.exe PID 2044 wrote to memory of 772 2044 cmd.exe reg.exe PID 2044 wrote to memory of 2520 2044 cmd.exe reg.exe PID 2044 wrote to memory of 2520 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4084 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4084 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1960 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1960 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4948 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4948 2044 cmd.exe reg.exe PID 2044 wrote to memory of 5116 2044 cmd.exe reg.exe PID 2044 wrote to memory of 5116 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4540 2044 cmd.exe reg.exe PID 2044 wrote to memory of 4540 2044 cmd.exe reg.exe PID 2044 wrote to memory of 3920 2044 cmd.exe reg.exe PID 2044 wrote to memory of 3920 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1804 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1804 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1236 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1236 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1820 2044 cmd.exe reg.exe PID 2044 wrote to memory of 1820 2044 cmd.exe reg.exe PID 3660 wrote to memory of 2604 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe BANDIZIP-SETUP-STD-X64.EXE PID 3660 wrote to memory of 2604 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe BANDIZIP-SETUP-STD-X64.EXE PID 3660 wrote to memory of 2604 3660 133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe BANDIZIP-SETUP-STD-X64.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe"C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"2⤵
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\system32\attrib.exeattrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"3⤵
- Views/modifies file attributes
PID:1956 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f3⤵PID:2028
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeZip" /t REG_DWORD /d "1" /f3⤵PID:5052
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeRar" /t REG_DWORD /d "1" /f3⤵PID:4960
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNotice7z" /t REG_DWORD /d "1" /f3⤵PID:772
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "update" /t REG_DWORD /d "2" /f3⤵PID:2520
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "shell_ShowSubmenu" /t REG_DWORD /d "1" /f3⤵PID:4084
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_OpenArchive" /t REG_DWORD /d "1" /f3⤵PID:1960
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_Preview" /t REG_DWORD /d "0" /f3⤵PID:4948
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "shell_CreateNewFolder" /t REG_DWORD /d "0" /f3⤵PID:5116
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "bDeleteOutfileWhenUserCancel" /t REG_DWORD /d "1" /f3⤵PID:4540
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "openFolderWhenComplete" /t REG_DWORD /d "1" /f3⤵PID:3920
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f3⤵PID:1804
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "bShowStartScreen" /t REG_DWORD /d "0" /f3⤵PID:1236
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Bandizip" /v "bDispFullPathTitlebar" /t REG_DWORD /d "1" /f3⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE"2⤵
- Executes dropped EXE
PID:2604
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.8MB
MD57793ef9c18f44a5962cc877e7efa110c
SHA1e3b05cd6c0477fa98e9d14221123c9e09fa5916f
SHA25658ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26
SHA512b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2
-
Filesize
6.8MB
MD57793ef9c18f44a5962cc877e7efa110c
SHA1e3b05cd6c0477fa98e9d14221123c9e09fa5916f
SHA25658ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26
SHA512b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2
-
Filesize
1KB
MD595caa98042b01e1c4cf47901ca8ac786
SHA1f041b629b11a65da3c1a3909c88f3e9f1e358f65
SHA2560476e0d75664e305713767cad87e7b5f2580050c1b4d08799f050f5103728061
SHA51296cfe1a060ad1d07f2250d6b792c4570a892e9e93a6162e058e22646a99171003eae38ffd2570cbba936b71f8d1953cd1e3eb93137109a805eb5c2126a6663ba