Overview

overview

7

Static

static

7

Bombermania.exe

windows7-x64

7

Bombermania.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2023, 10:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bombermania.exe

  • Size

    2.7MB

  • MD5

    471d39a51a79f342033c5b0636c244dc

  • SHA1

    b0324ddd99677d9b0458c7328879f8fde268effc

  • SHA256

    1154535130d546eaa33bbc9051a9cb91e2b0e3a3991286c3d5b0a708110c9aa7

  • SHA512

    e1df6f0c06a0438d7b1cabae01d38e9bb723feeff67b4a9c8176d46b4da7fbd89be287ff86db9617c02a553d1a7c76c7f5ad1286d12023ad7628f5b0a30066af

  • SSDEEP

    49152:F0Mnrnb04mvy6e4LzKCGilG4mvEsWI9ep0dZfyFhVWHRal0v:KMnn04mY6yilGd19cyhxq0v

Score
7/10
bootkitdiscoverypersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exe
    "C:\Users\Admin\AppData\Local\Temp\Bombermania.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
      "C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\is-Q3JPG.tmp\is-IC0Q4.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-Q3JPG.tmp\is-IC0Q4.tmp" /SL4 $A01B8 C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe 2384405 50688
        3⤵
        • Executes dropped EXE
        PID:2120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Bombermania.exeDir\Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Instructions.xml
    Filesize

    15KB

    MD5

    06686de253bf5bca9b3fd61dae44eef2

    SHA1

    a1aa56ee5745d6cca90a99cdb6314fb07817f7b9

    SHA256

    78730e10b80da6e7b5306059bb77869928e0655a1e2a049e8f1a43a93452c05b

    SHA512

    8beece0e9dd2868b3ce6309a812b71d255563280aff4db341508c08da081810b9f721e729678b443953d973bfc3601cbd1256550f0899a7b5dcdd9ad7e196c12

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OnStartup.xml
    Filesize

    3KB

    MD5

    6f6e56b9f9755b4b8c1f09e48c1b61a5

    SHA1

    3532bd25842e606def492430cf01671f6d7301b4

    SHA256

    4b07f2452780c190f54673618a9ccb7ffdee69b21be5231c0dc17d824d10acb0

    SHA512

    d27e70e8f56181fd0046a8669a02906a5329839e1e9a45f93081b481303069f7129c25d57f512d907411ba99f4398e116ea336b5f12d5e750b81754b7beb130c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OnStartup_FallBack.xml
    Filesize

    3KB

    MD5

    623dadbf038a827d7dfa0e631c3bc0e0

    SHA1

    3dfddb9d4a056404d0fd1dc0de7de6ac23ea1148

    SHA256

    da73a0a830fced711a3ff1941e3dcc8c6786d1b1308cd5852f0f0f6b768dd5a8

    SHA512

    4560608f91d351f27434933c590d2698e69f57c6c16e4f7169d201bc5076c12e20fa2619226e39b9f9348fd3291ac22aa01c5c1c4942ec3a879fbc7321fe7b3c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UninstallPartI.xml
    Filesize

    1KB

    MD5

    f8da0fda97735dd86e697be9f8534f19

    SHA1

    3d9a17fd176c6f0cc9e7000b7786461210d110cd

    SHA256

    9c1a8636ecb5e8f49f88b316dcbf81f2b6803b9905e3c6865aaa6e92805695fc

    SHA512

    c615190b5ffe88c2559b54af685cf1613dc445a7e699c3069ba367bb1c8cf024a4be8186c6a569a12e2c21dfb25fef85bf5183d2f1b014b849e6cd6f9f37c40a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\UninstallPartII.xml
    Filesize

    1KB

    MD5

    514bb2b46bf58a41392d58062f86c0bf

    SHA1

    4094056e016b542b03e8634662280e3cb71668e6

    SHA256

    a04e3251ec95d7cd9a619cf183d9ed99fd6b18190f53a0ce72607d257bd4a2d5

    SHA512

    3b44f47d65197c5f6deaeaa96badb65213015e3636128d9a846f15bc988c4ddef2b23f913b82c8b4deac7e5a5a27f94ffc7b4d82705bdce76edbe7ac518c221d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\_Bombermania.exe
    Filesize

    2.6MB

    MD5

    fe37b30358f0858a8ef4d8b874c8a96d

    SHA1

    7b4a71cb297852872a505da9e7863b3cc2607d1b

    SHA256

    77edc8fd4a7edd277bf6a61b6413804380dd89ed2d0e7b768eae09efc3393d9c

    SHA512

    c0d4a60ec6989f2cb6572a9c9ad63bc469853a669fe7c7e854fc9d49903bf6b67fa928523593e4f34ae44277f084eb6d62737f91fa41f22c5fa49d0dd91cc73e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-Q3JPG.tmp\is-IC0Q4.tmp
    Filesize

    577KB

    MD5

    e84de69f85741b96c7755124d725f754

    SHA1

    66b144676366e003477f71862ce1cb5b7213ac41

    SHA256

    f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

    SHA512

    39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-Q3JPG.tmp\is-IC0Q4.tmp
    Filesize

    577KB

    MD5

    e84de69f85741b96c7755124d725f754

    SHA1

    66b144676366e003477f71862ce1cb5b7213ac41

    SHA256

    f8a9acfc4dbbc58dead29730e266726d1650437b76a73f6d2ff1a91949ca395f

    SHA512

    39bee4921f2391354c30674473c32a388037ded833c368e4114d090c1496b403a3333ca937d5a6d73527efcfe4d2c71037e355929e597598471aeb6a597e6494

    Download Submit

  • memory/728-184-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/728-141-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/1672-186-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1672-196-0x0000000000400000-0x0000000000413000-memory.dmp

    Filesize

    76KB

    Download

  • memory/2120-195-0x0000000002310000-0x0000000002311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2120-197-0x0000000000400000-0x000000000049E000-memory.dmp

    Filesize

    632KB

    Download