Overview

overview

10

Static

static

2063ccad3a...f4.exe

windows7-x64

10

2063ccad3a...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    65s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24-11-2022 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe

  • Size

    1.5MB

  • MD5

    35e9fc4bff3729865fcbe688d33e9819

  • SHA1

    74a5dc1856d990634c4c838309f124966c95b145

  • SHA256

    2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4

  • SHA512

    483ec08f00f5d3d2620b94f11c6a58f3c936112d189b9208bd6b7f22e285269274d177f12fec461232ede595b80836d883f8965b87cc12ddfe35e1d1849bfdb7

  • SSDEEP

    24576:57OlTY81NmsM4SFu6/4WiAH4ACs/85iIn1xJSG8El7jsMtAndBAicuUO:57cXOAYwGJI1xkwrAXA+

Score
10/10
bandookpersistencerattrojan

Malware Config

Extracted

Family

bandook

C2

somfiar2a.ddns.net

Signatures

  • Bandook RAT

    Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    rattrojanbandook
  • Bandook payload 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe
    "C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe
      "C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        3⤵
          PID:1324
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
          • Adds Run key to start application
          PID:972
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          3⤵
            PID:1824
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            3⤵
            • Adds Run key to start application
            PID:1784

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\ksd\ksd.exe
        Filesize

        1.5MB

        MD5

        35e9fc4bff3729865fcbe688d33e9819

        SHA1

        74a5dc1856d990634c4c838309f124966c95b145

        SHA256

        2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4

        SHA512

        483ec08f00f5d3d2620b94f11c6a58f3c936112d189b9208bd6b7f22e285269274d177f12fec461232ede595b80836d883f8965b87cc12ddfe35e1d1849bfdb7

        Download Submit
      • memory/1372-54-0x0000000013140000-0x0000000013B90000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/1372-56-0x0000000013140000-0x0000000013B90000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/1372-57-0x0000000013148C7C-mapping.dmp
        Download
      • memory/1372-59-0x0000000075071000-0x0000000075073000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1372-60-0x0000000013140000-0x0000000013B90000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/1372-61-0x0000000013140000-0x0000000013B90000-memory.dmp
        Filesize

        10.3MB

        Download
      • memory/1372-62-0x0000000013140000-0x0000000013B90000-memory.dmp
        Filesize

        10.3MB

        Download