Analysis
-
max time kernel
181s -
max time network
195s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:13
Static task
static1
Behavioral task
behavioral1
Sample
2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe
Resource
win10v2004-20221111-en
General
-
Target
2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe
-
Size
1.5MB
-
MD5
35e9fc4bff3729865fcbe688d33e9819
-
SHA1
74a5dc1856d990634c4c838309f124966c95b145
-
SHA256
2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4
-
SHA512
483ec08f00f5d3d2620b94f11c6a58f3c936112d189b9208bd6b7f22e285269274d177f12fec461232ede595b80836d883f8965b87cc12ddfe35e1d1849bfdb7
-
SSDEEP
24576:57OlTY81NmsM4SFu6/4WiAH4ACs/85iIn1xJSG8El7jsMtAndBAicuUO:57cXOAYwGJI1xkwrAXA+
Malware Config
Extracted
bandook
somfiar2a.ddns.net
Signatures
-
Bandook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4772-133-0x0000000013140000-0x0000000013B90000-memory.dmp family_bandook behavioral2/memory/4772-135-0x0000000013140000-0x0000000013B90000-memory.dmp family_bandook behavioral2/memory/4772-136-0x0000000013140000-0x0000000013B90000-memory.dmp family_bandook behavioral2/memory/4772-137-0x0000000013140000-0x0000000013B90000-memory.dmp family_bandook -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exeiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksd = "C:\\Users\\Admin\\AppData\\Local\\ksd\\ksd.exe" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ksd = "C:\\Users\\Admin\\AppData\\Local\\ksd\\ksd.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exedescription pid process target process PID 1676 set thread context of 4772 1676 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exedescription pid process target process PID 1676 wrote to memory of 4772 1676 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe PID 1676 wrote to memory of 4772 1676 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe PID 1676 wrote to memory of 4772 1676 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe PID 1676 wrote to memory of 4772 1676 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe PID 1676 wrote to memory of 4772 1676 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe PID 4772 wrote to memory of 3152 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 3152 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 3152 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 3152 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 524 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 524 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 524 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 524 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 4340 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 4340 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 4340 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 4340 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 1492 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 1492 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 1492 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe PID 4772 wrote to memory of 1492 4772 2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe"C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe"C:\Users\Admin\AppData\Local\Temp\2063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\ksd\ksd.exeFilesize
1.5MB
MD535e9fc4bff3729865fcbe688d33e9819
SHA174a5dc1856d990634c4c838309f124966c95b145
SHA2562063ccad3a86a5808d3521eff0da421986761ad5d154a5de2243bf03fe59b1f4
SHA512483ec08f00f5d3d2620b94f11c6a58f3c936112d189b9208bd6b7f22e285269274d177f12fec461232ede595b80836d883f8965b87cc12ddfe35e1d1849bfdb7
-
memory/4772-132-0x0000000000000000-mapping.dmp
-
memory/4772-133-0x0000000013140000-0x0000000013B90000-memory.dmpFilesize
10.3MB
-
memory/4772-135-0x0000000013140000-0x0000000013B90000-memory.dmpFilesize
10.3MB
-
memory/4772-136-0x0000000013140000-0x0000000013B90000-memory.dmpFilesize
10.3MB
-
memory/4772-137-0x0000000013140000-0x0000000013B90000-memory.dmpFilesize
10.3MB