Overview

overview

10

Static

static

1

RECIBO DE ...58.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    598s
  • max time network
    575s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-04-2023 15:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RECIBO DE PAGO #4858.exe

  • Size

    2.9MB

  • MD5

    e751c63b9d44912e8d728c4b42ff781f

  • SHA1

    5d8617c3fcf7bc47f9e2d766b6d5e745a66e6535

  • SHA256

    fa810720c2221e423174525d355252264f79ef9492f9050ed9504d0e33a24b1e

  • SHA512

    607862f082f977dffb3ed51e0b7668c560a7b1d6afb7ad6fa73cfb227e6886f4be25f3479bee2983f7f17c49cfcb594dfea9859f32eff665d00474e2e3efa834

  • SSDEEP

    49152:fm1oRufNhy88P/iIXW2VJXmvj1G/LWlisw3hs:fmcufi8b

Score
10/10
bandookpersistencerattrojanupx

Malware Config

Extracted

Family

bandook

C2

deapproved.ru

Signatures

  • Bandook RAT

    Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.

    rattrojanbandook
  • Bandook payload 8 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RECIBO DE PAGO #4858.exe
    "C:\Users\Admin\AppData\Local\Temp\RECIBO DE PAGO #4858.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\windows\syswow64\msinfo32.exe
      C:\windows\syswow64\msinfo32.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3384
    • C:\Users\Admin\AppData\Local\Temp\RECIBO DE PAGO #4858.exe
      "C:\Users\Admin\AppData\Local\Temp\RECIBO DE PAGO #4858.exe" dkddkdkkdkdd ddd
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4308
      • C:\windows\syswow64\msinfo32.exe
        C:\windows\syswow64\msinfo32.exe
        3⤵
        • Adds Run key to start application
        PID:508
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1248 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/508-209-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-160-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-171-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-167-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-165-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-163-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-162-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-161-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-156-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/3384-157-0x0000000013140000-0x0000000014009000-memory.dmp

    Filesize

    14.8MB

    Download

  • memory/4308-170-0x0000000000770000-0x0000000000771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4308-172-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4308-155-0x0000000000770000-0x0000000000771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4308-204-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4308-202-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4308-200-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4308-176-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4308-168-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-152-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-122-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-119-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4604-123-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-183-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-158-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-153-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-154-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4604-120-0x0000000000400000-0x00000000006FB000-memory.dmp

    Filesize

    3.0MB

    Download