Overview

overview

7

Static

static

7

Bombermania.exe

windows7-x64

7

Bombermania.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2023 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bombermania.exe

  • Size

    2.7MB

  • MD5

    471d39a51a79f342033c5b0636c244dc

  • SHA1

    b0324ddd99677d9b0458c7328879f8fde268effc

  • SHA256

    1154535130d546eaa33bbc9051a9cb91e2b0e3a3991286c3d5b0a708110c9aa7

  • SHA512

    e1df6f0c06a0438d7b1cabae01d38e9bb723feeff67b4a9c8176d46b4da7fbd89be287ff86db9617c02a553d1a7c76c7f5ad1286d12023ad7628f5b0a30066af

  • SSDEEP

    49152:F0Mnrnb04mvy6e4LzKCGilG4mvEsWI9ep0dZfyFhVWHRal0v:KMnn04mY6yilGd19cyhxq0v

Score
7/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 7 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exe
    "C:\Users\Admin\AppData\Local\Temp\Bombermania.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
      "C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp" /SL4 $80122 C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe 2384405 50688
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: GetForegroundWindowSpam
        PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Instructions.xml
    Filesize

    15KB

    MD5

    06686de253bf5bca9b3fd61dae44eef2

    SHA1

    a1aa56ee5745d6cca90a99cdb6314fb07817f7b9

    SHA256

    78730e10b80da6e7b5306059bb77869928e0655a1e2a049e8f1a43a93452c05b

    SHA512

    8beece0e9dd2868b3ce6309a812b71d255563280aff4db341508c08da081810b9f721e729678b443953d973bfc3601cbd1256550f0899a7b5dcdd9ad7e196c12

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp
    Filesize

    577KB

    MD5

    e84de69f85741b96c7755124d725f754

    SHA1

    66b144676366e003477f71862ce1cb5b7213ac41

    SHA256

    f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

    SHA512

    39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp
    Filesize

    577KB

    MD5

    e84de69f85741b96c7755124d725f754

    SHA1

    66b144676366e003477f71862ce1cb5b7213ac41

    SHA256

    f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

    SHA512

    39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-9RKDO.tmp\is-2E6PG.tmp
    Filesize

    577KB

    MD5

    e84de69f85741b96c7755124d725f754

    SHA1

    66b144676366e003477f71862ce1cb5b7213ac41

    SHA256

    f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

    SHA512

    39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-VPT3B.tmp\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • \Users\Admin\AppData\Local\Temp\is-VPT3B.tmp\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit
  • memory/292-113-0x00000000001F0000-0x00000000001F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/292-115-0x0000000000400000-0x000000000049E000-memory.dmp
    Filesize

    632KB

    Download
  • memory/1604-62-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1604-96-0x0000000000400000-0x0000000000460000-memory.dmp
    Filesize

    384KB

    Download
  • memory/1844-100-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download
  • memory/1844-114-0x0000000000400000-0x0000000000413000-memory.dmp
    Filesize

    76KB

    Download