133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53

General

Target

133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
Size

6.7MB
MD5

91d9d139ce2d791b6686ae07128b51cb
SHA1

46210009701509a198a58bc0a5fa3bcd05c53eb1
SHA256

133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53
SHA512

0488397ba99de52afbb80378589f7a0115006640b02ad7c9c26f73cdc30c72bf6d9f780b03d2a724d38a3a7ecb987d54ca1b4060f135cd61d6d3408d0a7a153f
SSDEEP

196608:fKrCZ3PfOoei6B8v791ZftQzI+HfaQ37WmjUTFJ+:fZpGg791p6U+/aQ377jUTFM

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

BANDIZIP-SETUP-STD-X64.EXE

pid process

2604 BANDIZIP-SETUP-STD-X64.EXE

pid	process
2604	BANDIZIP-SETUP-STD-X64.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.execmd.execmd.exe

description	pid	process	target process
PID 3660 wrote to memory of 564	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	cmd.exe
PID 3660 wrote to memory of 564	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	cmd.exe
PID 564 wrote to memory of 1956	564	cmd.exe	attrib.exe
PID 564 wrote to memory of 1956	564	cmd.exe	attrib.exe
PID 3660 wrote to memory of 2044	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	cmd.exe
PID 3660 wrote to memory of 2044	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	cmd.exe
PID 2044 wrote to memory of 2028	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 2028	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 5052	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 5052	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4960	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4960	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 772	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 772	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 2520	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 2520	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4084	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4084	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1960	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1960	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4948	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4948	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 5116	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 5116	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4540	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 4540	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 3920	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 3920	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1804	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1804	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1236	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1236	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1820	2044	cmd.exe	reg.exe
PID 2044 wrote to memory of 1820	2044	cmd.exe	reg.exe
PID 3660 wrote to memory of 2604	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	BANDIZIP-SETUP-STD-X64.EXE
PID 3660 wrote to memory of 2604	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	BANDIZIP-SETUP-STD-X64.EXE
PID 3660 wrote to memory of 2604	3660	133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe	BANDIZIP-SETUP-STD-X64.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1956 attrib.exe

pid	process
1956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe
"C:\Users\Admin\AppData\Local\Temp\133bff26cb2aa0bf4d27369e50b5837caf2f6e1973d98d78530a7500e206bd53.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
3⤵
- Views/modifies file attributes
PID:1956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c @pushd "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000" >nul 2>&1 & CALL "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd"
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f
3⤵
PID:2028

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeZip" /t REG_DWORD /d "1" /f
3⤵
PID:5052

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNoticeRar" /t REG_DWORD /d "1" /f
3⤵
PID:4960

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "assocNotice.disableNotice7z" /t REG_DWORD /d "1" /f
3⤵
PID:772

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "update" /t REG_DWORD /d "2" /f
3⤵
PID:2520

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "shell_ShowSubmenu" /t REG_DWORD /d "1" /f
3⤵
PID:4084

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_OpenArchive" /t REG_DWORD /d "1" /f
3⤵
PID:1960

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\SOFTWARE\Bandizip" /v "shell_Preview" /t REG_DWORD /d "0" /f
3⤵
PID:4948

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "shell_CreateNewFolder" /t REG_DWORD /d "0" /f
3⤵
PID:5116

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "bDeleteOutfileWhenUserCancel" /t REG_DWORD /d "1" /f
3⤵
PID:4540

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "openFolderWhenComplete" /t REG_DWORD /d "1" /f
3⤵
PID:3920

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "doNotCloseExtractDlg" /t REG_DWORD /d "0" /f
3⤵
PID:1804

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "bShowStartScreen" /t REG_DWORD /d "0" /f
3⤵
PID:1236

C:\Windows\system32\reg.exe
Reg.exe add "HKCU\Software\Bandizip" /v "bDispFullPathTitlebar" /t REG_DWORD /d "1" /f
3⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE"
2⤵
- Executes dropped EXE
PID:2604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE

Filesize
6.8MB

MD5
7793ef9c18f44a5962cc877e7efa110c

SHA1
e3b05cd6c0477fa98e9d14221123c9e09fa5916f

SHA256
58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

SHA512
b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\BANDIZIP-SETUP-STD-X64.EXE

Filesize
6.8MB

MD5
7793ef9c18f44a5962cc877e7efa110c

SHA1
e3b05cd6c0477fa98e9d14221123c9e09fa5916f

SHA256
58ac6c40593f0e7104ce838ef9163d743a5339166986ee4c3839224b25bddd26

SHA512
b12a34ebda99691add598d0822b9c0ab3bdbad0b6c03d8af14e8799aadc8285a91654e46a087b10289dc86c8eaed86bd4e2d930d86c9aa0ba85010cb852862c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\First.cmd

Filesize
1KB

MD5
95caa98042b01e1c4cf47901ca8ac786

SHA1
f041b629b11a65da3c1a3909c88f3e9f1e358f65

SHA256
0476e0d75664e305713767cad87e7b5f2580050c1b4d08799f050f5103728061

SHA512
96cfe1a060ad1d07f2250d6b792c4570a892e9e93a6162e058e22646a99171003eae38ffd2570cbba936b71f8d1953cd1e3eb93137109a805eb5c2126a6663ba

Download Submit
memory/564-133-0x0000000000000000-mapping.dmp

Download
memory/772-140-0x0000000000000000-mapping.dmp

Download
memory/1236-149-0x0000000000000000-mapping.dmp

Download
memory/1804-148-0x0000000000000000-mapping.dmp

Download
memory/1820-150-0x0000000000000000-mapping.dmp

Download
memory/1956-134-0x0000000000000000-mapping.dmp

Download
memory/1960-143-0x0000000000000000-mapping.dmp

Download
memory/2028-137-0x0000000000000000-mapping.dmp

Download
memory/2044-135-0x0000000000000000-mapping.dmp

Download
memory/2520-141-0x0000000000000000-mapping.dmp

Download
memory/2604-151-0x0000000000000000-mapping.dmp

Download
memory/3660-154-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3660-132-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3920-147-0x0000000000000000-mapping.dmp

Download
memory/4084-142-0x0000000000000000-mapping.dmp

Download
memory/4540-146-0x0000000000000000-mapping.dmp

Download
memory/4948-144-0x0000000000000000-mapping.dmp

Download
memory/4960-139-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x0000000000000000-mapping.dmp

Download
memory/5116-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing