46ee42fb79a161bf3763e8e34a047018bd16d8572f8d31c2cdecae3d2e7a57a8

Analysis

max time kernel
144s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/03/2023, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bombermania.exe
Size

2.7MB
MD5

471d39a51a79f342033c5b0636c244dc
SHA1

b0324ddd99677d9b0458c7328879f8fde268effc
SHA256

1154535130d546eaa33bbc9051a9cb91e2b0e3a3991286c3d5b0a708110c9aa7
SHA512

e1df6f0c06a0438d7b1cabae01d38e9bb723feeff67b4a9c8176d46b4da7fbd89be287ff86db9617c02a553d1a7c76c7f5ad1286d12023ad7628f5b0a30066af
SSDEEP

49152:F0Mnrnb04mvy6e4LzKCGilG4mvEsWI9ep0dZfyFhVWHRal0v:KMnn04mY6yilGd19cyhxq0v

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Live update.lnk	Bombermania.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Antivirus live update.lnk	Bombermania.exe

Executes dropped EXE 2 IoCs

pid	Process
1844	Bombermania.exe
292	is-2E6PG.tmp

Loads dropped DLL 7 IoCs

pid	Process
1604	Bombermania.exe
1844	Bombermania.exe
1844	Bombermania.exe
1844	Bombermania.exe
1844	Bombermania.exe
292	is-2E6PG.tmp
292	is-2E6PG.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1604-62-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral1/memory/1604-96-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Bombermania.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Live Update = "C:\\Program Files (x86)\\WinA\\WinA.exe OnStartup.xml"	Bombermania.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run	Bombermania.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\Live Update = "C:\\Program Files (x86)\\WinA\\WinA.exe OnStartup_FallBack.xml"	Bombermania.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Bombermania.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinA\Instructions.xml	Bombermania.exe
File created	C:\Program Files (x86)\WinA\OnStartup.xml	Bombermania.exe
File created	C:\Program Files (x86)\WinA\OnStartup_FallBack.xml	Bombermania.exe
File created	C:\Program Files (x86)\WinA\UninstallPartI.xml	Bombermania.exe
File created	C:\Program Files (x86)\WinA\UninstallPartII.xml	Bombermania.exe
File opened for modification	C:\Program Files (x86)\WinA\WinA.exe	Bombermania.exe
File created	C:\Program Files (x86)\WinA\WinA.exe	Bombermania.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1604	Bombermania.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
292	is-2E6PG.tmp

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1604 wrote to memory of 1844	1604	Bombermania.exe	28
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29
PID 1844 wrote to memory of 292	1844	Bombermania.exe	29

C:\Users\Admin\AppData\Local\Temp\Bombermania.exe
"C:\Users\Admin\AppData\Local\Temp\Bombermania.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
  "C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp" /SL4 $80122 C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe 2384405 50688
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: GetForegroundWindowSpam
    PID:292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Instructions.xml

Filesize
15KB

MD5
06686de253bf5bca9b3fd61dae44eef2

SHA1
a1aa56ee5745d6cca90a99cdb6314fb07817f7b9

SHA256
78730e10b80da6e7b5306059bb77869928e0655a1e2a049e8f1a43a93452c05b

SHA512
8beece0e9dd2868b3ce6309a812b71d255563280aff4db341508c08da081810b9f721e729678b443953d973bfc3601cbd1256550f0899a7b5dcdd9ad7e196c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp

Filesize
577KB

MD5
e84de69f85741b96c7755124d725f754

SHA1
66b144676366e003477f71862ce1cb5b7213ac41

SHA256
f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

SHA512
39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp

Filesize
577KB

MD5
e84de69f85741b96c7755124d725f754

SHA1
66b144676366e003477f71862ce1cb5b7213ac41

SHA256
f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

SHA512
39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

Download Submit
\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe

Filesize
2.6MB

MD5
fe37b30358f0858a8ef4d8b874c8a96d

SHA1
7b4a71cb297852872a505da9e7863b3cc2607d1b

SHA256
77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

SHA512
c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

Download Submit
\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp

Filesize
577KB

MD5
e84de69f85741b96c7755124d725f754

SHA1
66b144676366e003477f71862ce1cb5b7213ac41

SHA256
f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

SHA512
39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

Download Submit
\Users\Admin\AppData\Local\Temp\is-VPT3B.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-VPT3B.tmp\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/292-113-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/292-115-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/1604-62-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1604-96-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1844-100-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1844-114-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download