bandook | hxxps://drive[.]google[.]com/file/d/1Co5rXfVJhNPvA3atvkEMmeKcyc5hxvGP/view?usp=drive_web

Analysis

max time kernel
300s
max time network
281s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Co5rXfVJhNPvA3atvkEMmeKcyc5hxvGP/view?usp=drive_web

Score

10^/10

bandook persistence rat trojan upx

Malware Config

Extracted

Family

bandook

gombos.ru

Signatures

Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
rat trojan bandook

Bandook payload 8 IoCs

resource	yara_rule
behavioral1/memory/4376-408-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-409-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-410-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-411-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-412-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-414-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-416-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook
behavioral1/memory/4376-420-0x0000000013140000-0x0000000013EB0000-memory.dmp	family_bandook

Executes dropped EXE 2 IoCs

pid	Process
1164	FACTURA#00256.exe
5116	FACTURA#00256.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4376-405-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-406-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-408-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-409-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-410-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-411-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-412-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-414-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-416-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx
behavioral1/memory/4376-420-0x0000000013140000-0x0000000013EB0000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133257243357760744"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4376	msinfo32.exe
4376	msinfo32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
3704	7zG.exe
4260	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1332	4260	chrome.exe	84
PID 4260 wrote to memory of 1332	4260	chrome.exe	84
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 3020	4260	chrome.exe	85
PID 4260 wrote to memory of 1116	4260	chrome.exe	86
PID 4260 wrote to memory of 1116	4260	chrome.exe	86
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87
PID 4260 wrote to memory of 1568	4260	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://drive.google.com/file/d/1Co5rXfVJhNPvA3atvkEMmeKcyc5hxvGP/view?usp=drive_web
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd469a9758,0x7ffd469a9768,0x7ffd469a9778
  2⤵
  PID:1332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3196 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4548 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4948 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5492 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1824,i,6256949204099523871,7986786162828795282,131072 /prefetch:8
  2⤵
  PID:1368

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2702:88:7zEvent19844
1⤵
- Suspicious use of FindShellTrayWindow
PID:3704

C:\Users\Admin\Downloads\FACTURA#00256.exe
"C:\Users\Admin\Downloads\FACTURA#00256.exe"
1⤵
- Executes dropped EXE
PID:1164
- C:\windows\SysWOW64\msinfo32.exe
  C:\windows\syswow64\msinfo32.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Users\Admin\Downloads\FACTURA#00256.exe
  C:\Users\Admin\Downloads\FACTURA#00256.exe ooooooooooooooo
  2⤵
  - Executes dropped EXE
  PID:5116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
80f3253f53e71d6970279a5e03c59e44

SHA1
6e54592b484ce8a669502b91292c0a2a01d6788a

SHA256
c6b2a0af05c4aaf19dac2f0afa9c18b680a404de601b02c1bdd6a981c98e6e86

SHA512
6193fddbd9096ba49067f16363d99831a5ab09647d60ee4a222c15c9232617a61ec9b542767bf6bfcdb6daf4c075df93654ae25b9d5611034838062d24900e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4e248ee6268a96daf04dd0f882ab27b8

SHA1
75a2bcc8923bfb88b061eb7457f7b75bbb5d0314

SHA256
39df1b87d7c93d3dba51522f450fa0c05bf6b5e985fdb848300c6023dd0d5eb5

SHA512
b2ed1af6e8dd967b2d7ade2bb66ca144d593d59bfea84be87690549d0a24a2a78661327a495cdb483c94d83b2361689d7ba9c309c4f781f6137daafa8bfca305

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
627df15507030a9e279b5812c89b0ba6

SHA1
5f56265ad6dbedbdcb69ba99003b1d521b914274

SHA256
e2c83cc0dd6d68af20e0550f14dac77b22b62088c4823b7dede11c9925301aba

SHA512
e5c6bc25cdc373b4d40d0d2abee5f77d8b80bc5db2ad798fbf908916f49a6e4a24b7dc7486bdaf71728891a4ba3617b983ee73da7800a0e038542ade99ca8e51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
93f351d67bbea6d6c24657ce2566ce65

SHA1
03a5de8b4d49e3081820d85c3535636a02d6ee0a

SHA256
4fbfcc8562e26bd6048fb91d8710db7ba22fa43fe35765e89bafda54fef645ae

SHA512
2d4b9fff93a8aa80601adb49892b872601e31f72e3bee76f9456829e439c653b1dd2782cffe4ccc22ba6f7b0a6543223763d012a07b712ac0687dee15a5c98ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d766f767b8af54db5e71a566de95194b

SHA1
87aa509c17c01db67fa49481ce9ff2e2cf1c9d8c

SHA256
db1f387120c125b5298c91ccb10491ddbe2cc96616068167d1eee53f0a52b8f7

SHA512
6d8d84d89d60dc496c002543717a94a412b7b0fb71c79d2a449f470a75ac6e6856b609cd8b8b312981dc996393695b452596ae91d72ba2677b47545cc866baa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0ecb67a35ba6539fd3023bed058462b7

SHA1
8df7e93c6ea6413557322402c3c51ab8511f24f5

SHA256
05a2727518e7db451a33767ca07d9ed50e33452cbbbd6343958e44be6bb91452

SHA512
7b33a9d1a24ec2783fb351a20050a32a09e67035325e56086e21aabaf7ac2e64fa8e08bbcc2631e01c1dfc7e8f4a8f098999a3270671be5c65ddda1fa2b190ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
020a6c98fb3bff8a36cb0a3e99036f06

SHA1
d0acc0032575d31787f59d9eda9d879298a7d2e8

SHA256
b9a9e10f1ed1c2f9f7ba83258350afe752517c7768f19b194b9f7a05240c6327

SHA512
ed991c2b524c433502ae54e798632fd5f267306cb6e48c94e17e5fb474b7799ae96217f34ed8668429ec5ded8824d49238cefb656b731f064906a4ca3bdb27b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
54dd4df6379fb5cabf995e57cf2fcbc8

SHA1
5b2ec309f01e97dd50b0781d607c7603c2c7706a

SHA256
6ad506830ea42d5ac03278c5877b93e717d35b9c0ce90568cbc30557d5ceab84

SHA512
a92d3184bb709e91e5f1f301ef2681a5ad29fef5bc90d78d39c3a45e394aa85d0876a6bb2dcffbd6dfec0a0ef6a56ac34a269baa7a9570c774ff8049dc9980a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
40d3d7173d7ba47aed58a6f9682a1d19

SHA1
8d572a52cb632a32f75b05f4e70bdb8f72592a53

SHA256
1684814c8328e69fd51f0346e502c9f304de6fd3bcbe4413c415c74e9a9e4e60

SHA512
3c15345755ed3458f26783f97bfa3bd346d2faa659fb0fb13d8d9bfbaae2aa889b00446b47409f3e0743fa1b7d0d40e340af720965fe8383db7d1ec39c3b5931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
c456c82efc718f3b295a66fe520001f2

SHA1
b3f7f9d521476c7fafa8c88c95db5d4b0e959e77

SHA256
98602a06350300afb86651da584afbd7e906a21ce3e84f96b9507c8122303dfc

SHA512
14793beb8df1d4f835b0c4c0da0fb0fae3870567bc990343641be4360d38683a42a7a7d440258ff83146023537edffde5f44cbf33ac9bd7c207b235bc5eb7d68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
f75f94cf840c5592637a7932ae6d1e07

SHA1
6872ab333ffda17b5339d8c2a9de12d27f3b8c8f

SHA256
ab6969f423fd5012c308c3ce9c2abdaa179956b14a74c66e7a27f835b2aa5807

SHA512
663e31f0e319ae2a8e73ea248971f3bc69b2cf25bf812f67569599eed0324a8dcb6dfca6dc9d1644d8c7cb3b97eb9d34bb429af3edae30fd382d4517b43868cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
3b670466914b1431f5153cf3657feca0

SHA1
61115d2d209ff9a7344c2ca432984aab12f6fbca

SHA256
3ea2f92cf87b8cc09147e3a2613934e0ecdfa9419045af40f5d3363b15bd8a65

SHA512
c109bf516c11bbe32298b707cf297a6bb36c3edce73991f82d227a5591ca6cd29cda04a6778366d6ba5d06f2ca8264d2eee49f8ed8e27c1f06bc5979b0c04030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57596a.TMP

Filesize
103KB

MD5
38a1390e76ba346e284a07c9263e7084

SHA1
9bbcc5d2ef849cecef334ce7c6763a79a80f06e1

SHA256
1bcdfa41ec39cdbd73476c553db5dbfb952b95d5bfcc9a1d2055312856dd1e2c

SHA512
b5068985a2cb8115034b5e9fccdc7520ba3ee77d34d8ecd11b5f9819b65946210649b8b536205295966d83efaf2a054e04506a5a9ede89c70e5829d0a841e9f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\FACTURA#00256.exe

Filesize
2.8MB

MD5
40776099cf9098a626bae58763a503f6

SHA1
43fc1530db54c356831f4fd96b81c1548c6b1a05

SHA256
247b0725fc0935131537dd00eb454269f3dd5c8c94002448c7b3c27a9aafc75c

SHA512
947b1a5b62b26d4d45c707d1f6dd4bfe944742285f25cde8128b03d634bffc7cdf8dc00fc507e7a0278fa498961be7a32f54e509be107621b53a711a6ff4215d

Download Submit
C:\Users\Admin\Downloads\FACTURA#00256.exe

Filesize
2.8MB

MD5
40776099cf9098a626bae58763a503f6

SHA1
43fc1530db54c356831f4fd96b81c1548c6b1a05

SHA256
247b0725fc0935131537dd00eb454269f3dd5c8c94002448c7b3c27a9aafc75c

SHA512
947b1a5b62b26d4d45c707d1f6dd4bfe944742285f25cde8128b03d634bffc7cdf8dc00fc507e7a0278fa498961be7a32f54e509be107621b53a711a6ff4215d

Download Submit
C:\Users\Admin\Downloads\FACTURA#00256.exe

Filesize
2.8MB

MD5
40776099cf9098a626bae58763a503f6

SHA1
43fc1530db54c356831f4fd96b81c1548c6b1a05

SHA256
247b0725fc0935131537dd00eb454269f3dd5c8c94002448c7b3c27a9aafc75c

SHA512
947b1a5b62b26d4d45c707d1f6dd4bfe944742285f25cde8128b03d634bffc7cdf8dc00fc507e7a0278fa498961be7a32f54e509be107621b53a711a6ff4215d

Download Submit
C:\Users\Admin\Downloads\FACTURA#00256.rar

Filesize
2.0MB

MD5
4b0b34ab701919f3f5294e47e7c2e13c

SHA1
901c874ed5a8cfefb66e63b72633e1afad2c043e

SHA256
1110a719adff88a0b121ff7bb4863f6d5f89e7289afae5dcc4c3972b35188ea5

SHA512
204a7124e7c162ce509ec7318699e42e0fc14ed7b5b6659aaff2d2af46c03a232d49e45ae09c5f682c053078534d11700b6bb211d0cb193ac52115c5a63cae99

Download Submit
C:\Users\Admin\Downloads\FACTURA#00256.rar.crdownload

Filesize
2.0MB

MD5
4b0b34ab701919f3f5294e47e7c2e13c

SHA1
901c874ed5a8cfefb66e63b72633e1afad2c043e

SHA256
1110a719adff88a0b121ff7bb4863f6d5f89e7289afae5dcc4c3972b35188ea5

SHA512
204a7124e7c162ce509ec7318699e42e0fc14ed7b5b6659aaff2d2af46c03a232d49e45ae09c5f682c053078534d11700b6bb211d0cb193ac52115c5a63cae99

Download Submit
memory/1164-384-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/1164-407-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/1164-386-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/1164-400-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/1164-401-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/1164-402-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/1164-268-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1164-385-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/4376-408-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-412-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-405-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-420-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-409-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-410-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-411-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-406-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-414-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/4376-416-0x0000000013140000-0x0000000013EB0000-memory.dmp

Filesize
13.4MB

Download
memory/5116-417-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/5116-419-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/5116-404-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/5116-421-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download
memory/5116-423-0x0000000000400000-0x00000000006E2000-memory.dmp

Filesize
2.9MB

Download