Analysis
-
max time kernel
293s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
30-04-2023 08:24
General
-
Target
Solicitud de Pedido.exe
-
Size
4.4MB
-
MD5
977f1f35f0bd4875b819699fe4766f6a
-
SHA1
abdf999e4c411e2f8f9c7db35bc84de94eeef6dd
-
SHA256
cd154f108be279c059b94990062bce732143c791a0ed45f37b8580cab615a8fe
-
SHA512
388afdb5dc0946f8656cb082d961d7b372b43e4db126b487c40a2b4b7af1159bb7542fe0395e5d1940e0c0b51f341d601eb351121df56c6b48da0f2385a845f8
-
SSDEEP
49152:VxJPhlQg2pC3EDJqqX4nu32Gnez0wY3IzObmbHms+fNpqv98uTnUkcNVuV9zwu:VxTrh3E
Score
10/10
Malware Config
Extracted
Family
bandook
C2
bomes.ru
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 7 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido.exe"C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido.exe"C:\Users\Admin\AppData\Local\Temp\Solicitud de Pedido.exe" ooooooooooooooo2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1444-54-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1444-55-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-56-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/1444-58-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-59-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-71-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-72-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-73-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-104-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1444-82-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1576-79-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-95-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-77-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1576-80-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-81-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-76-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-96-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-78-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-92-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-91-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1576-90-0x0000000013140000-0x0000000014009000-memory.dmpFilesize
14.8MB
-
memory/1808-88-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1808-86-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1808-84-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1808-83-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1808-97-0x0000000000400000-0x0000000000869000-memory.dmpFilesize
4.4MB
-
memory/1808-75-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB