Analysis
-
max time kernel
293s -
max time network
301s -
platform
windows7_x64 -
resource
win7-20220812-es -
resource tags
arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows -
submitted
05-12-2022 15:52
Static task
static1
Behavioral task
behavioral1
Sample
Recibo Pago_01.exe
Resource
win7-20220812-es
5 signatures
300 seconds
General
-
Target
Recibo Pago_01.exe
-
Size
2.6MB
-
MD5
b878881a2185be9eaa1ea8e0dd110928
-
SHA1
f5d02789571a0e77df546cd8b9a7961d8a6d6492
-
SHA256
adf598b6e18cc87cdfd38b309e2107054143b6078827878aaa280a30256b5d4e
-
SHA512
9390674a0c3d69af48f6509ab0b37616270d1d370270de137faf3e35e6c33b4e8ef518ba0fbed4859c063b32bcb6660cab424282b6e9fc84e6451fa17dd8a8b9
-
SSDEEP
24576:PQvIbnxx7gup2pm/+yS5ksdokLm0Nnc9EMiqQmH7zWfDzgWPo/+OxhirK6rQinxu:PG27lSvCkDcnbKfDzl00rtkaYnZtQ3By
Malware Config
Signatures
-
Bandook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1248-63-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1248-64-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook behavioral1/memory/1248-65-0x0000000013140000-0x0000000014009000-memory.dmp family_bandook -
Processes:
resource yara_rule behavioral1/memory/1248-60-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1248-62-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1248-63-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1248-64-0x0000000013140000-0x0000000014009000-memory.dmp upx behavioral1/memory/1248-65-0x0000000013140000-0x0000000014009000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
msinfo32.exepid process 1248 msinfo32.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Recibo Pago_01.exedescription pid process target process PID 1260 wrote to memory of 1248 1260 Recibo Pago_01.exe msinfo32.exe PID 1260 wrote to memory of 1248 1260 Recibo Pago_01.exe msinfo32.exe PID 1260 wrote to memory of 1248 1260 Recibo Pago_01.exe msinfo32.exe PID 1260 wrote to memory of 1248 1260 Recibo Pago_01.exe msinfo32.exe PID 1260 wrote to memory of 700 1260 Recibo Pago_01.exe Recibo Pago_01.exe PID 1260 wrote to memory of 700 1260 Recibo Pago_01.exe Recibo Pago_01.exe PID 1260 wrote to memory of 700 1260 Recibo Pago_01.exe Recibo Pago_01.exe PID 1260 wrote to memory of 700 1260 Recibo Pago_01.exe Recibo Pago_01.exe PID 1260 wrote to memory of 1248 1260 Recibo Pago_01.exe msinfo32.exe PID 1260 wrote to memory of 1248 1260 Recibo Pago_01.exe msinfo32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.exe"C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.exe"C:\Users\Admin\AppData\Local\Temp\Recibo Pago_01.exe" dkddkdkkdkdd ddd2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/700-55-0x0000000000000000-mapping.dmp
-
memory/1248-57-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1248-59-0x0000000000000000-mapping.dmp
-
memory/1248-60-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1248-62-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1248-63-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1248-64-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1248-65-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1260-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB