Analysis
-
max time kernel
501s -
max time network
472s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
01-06-2023 18:41
General
-
Target
archivo_pdf_01062023.exe
-
Size
4.6MB
-
MD5
607c9cdde6cff616b220d6057ed04e4d
-
SHA1
736fefd82f49949a32b5b375eae86507577c7e37
-
SHA256
17c531b0b3371814115d2912b3abc79b03dd15c43269c608a4d762b9b2c643d2
-
SHA512
f2bf7ed91ac291224c60f98f1a8efb44542ed514a908dd47599971f6a3598be8e4d04514f1e29d8cf7c57df106f17ceda9897558b0e239648ff13868f05ac328
-
SSDEEP
49152:MOdxUmMwUZHB1krgCx4PPjU4uy1ZyagpwVDwtQnv9rK9rmP17zJqVN28C:MV
Score
10/10
Malware Config
Signatures
-
Bandook RAT
Bandook is a remote access tool written in C++ and shipped with a loader written in Delphi.
-
Bandook payload 8 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\archivo_pdf_01062023.exe"C:\Users\Admin\AppData\Local\Temp\archivo_pdf_01062023.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\windows\syswow64\msinfo32.exeC:\windows\syswow64\msinfo32.exe2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\archivo_pdf_01062023.exeC:\Users\Admin\AppData\Local\Temp\archivo_pdf_01062023.exe ooooooooooooooo2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/584-107-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/584-110-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/584-114-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/584-116-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/584-93-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1520-90-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-89-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-91-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-59-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-123-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-58-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-56-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1520-54-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/1520-55-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/1520-99-0x0000000000400000-0x00000000008B3000-memory.dmpFilesize
4.7MB
-
memory/2040-97-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-101-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-103-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-102-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-106-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-100-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-108-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-98-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-112-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-96-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB
-
memory/2040-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2040-94-0x0000000013140000-0x00000000140BC000-memory.dmpFilesize
15.5MB