Analysis
-
max time kernel
293s -
max time network
274s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
30-04-2023 08:20
General
-
Target
cotizacion digital.exe
-
Size
2.6MB
-
MD5
54aad82a97089ca95a8e04bdf725e571
-
SHA1
769f5daaae9eb3256dc3f8937329a5c996b0f4df
-
SHA256
ca255e39475e03fab80314b13b95219d8143d9689fdcdff7e4c2c9aeab39c010
-
SHA512
553dfc6c11e58e2e2fbb4d5f2fbcd110107a70a9b53f4f4e0ab29645af09e2c39e30090f7710f640f3e2891f9300f535bba5b825c517809b4b1b03ad69870ccf
-
SSDEEP
49152:0G2ZPpGVQpuux0xj8sFUUM+rERWGRsknWjOEa1GUB1g6D:0H
Score
10/10
Malware Config
Extracted
Family
bandook
C2
deapproved.ru
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 8 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cotizacion digital.exe"C:\Users\Admin\AppData\Local\Temp\cotizacion digital.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\cotizacion digital.exe"C:\Users\Admin\AppData\Local\Temp\cotizacion digital.exe" dkddkdkkdkdd ddd2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/852-75-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/852-91-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/852-89-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/852-84-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/852-83-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/1796-87-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-92-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-98-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-96-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-76-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1796-78-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-79-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-80-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-81-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-95-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1796-93-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/2012-58-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-54-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2012-56-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/2012-55-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-72-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-59-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-82-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-71-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-73-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB
-
memory/2012-105-0x0000000000400000-0x00000000006AE000-memory.dmpFilesize
2.7MB