72f151d9eae658a2550f2f272a50447cf07a2c159584b530eaf1b9b1593b6063

Analysis

max time kernel
155s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bonetale (1).exe
Size

64.5MB
MD5

d49d8ce6085a83fd5d46e79eee43790a
SHA1

6329e40e9fe15c341cca12b0e50686587b4702e3
SHA256

72f151d9eae658a2550f2f272a50447cf07a2c159584b530eaf1b9b1593b6063
SHA512

54177a3725e02819cd87506f8a95a121b467925bd5cd14361c21f49e97fc57fc033cf640d7340d08bc3e2ce2fb473043a2a8dcf614fbb9b299bfe2fb6abf8cb0
SSDEEP

1572864:bZ/JTVyoo8FuQiK2W+sa5mddIhi+YFCw4D1iW8A:t/fZhiNW+rZi+pzr

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 21 IoCs

pid	Process
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe
1164	bonetale (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1164	bonetale (1).exe

C:\Users\Admin\AppData\Local\Temp\bonetale (1).exe
"C:\Users\Admin\AppData\Local\Temp\bonetale (1).exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MMFApplications\Bonetale_save_0

Filesize
48B

MD5
c39b7841e5b8fbaf86668f4bf921b126

SHA1
6bf71f0a3736bb6b0bdd8fd0b884811fe8aed870

SHA256
8a1d6f4b75f09fa13c0aa22bc0724ebc0b2fba1ef98b7b1b565ec70c2bfc3a43

SHA512
632bb6739a5eebce12c23b772466ab0f826fcee24abc27c22bc21a9a865b87b9a4fc15e15e198697747b72f8fb054636a5dd99e556c1ba6598cd08b2b40e45b2

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\AdMob.mfx

Filesize
328KB

MD5
a8ac276527b2d62e20fe194d8869dcd2

SHA1
9a7fc0315e8f4698308f045bcc549811978389a1

SHA256
63643eba7092157152fae32691a2b270d5c39b0da26fb97688e39ce4f0d01b75

SHA512
47d0d7954b374ec8fb65271d24e1267f277eeaf73c4261c2b4cf698c481b62d2e8729e756d4f89cee2ae0268b3a6129ae14eb6a96c9cd94e4a35dc703a2e46d2

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\Android.mfx

Filesize
129KB

MD5
f77d2502f0e60c9bab9470c0e4a1a127

SHA1
557b146a5ba0b7b09ef85c9461ab0faa34fddf46

SHA256
69369bfc2772841e292b79d9c17ba3f855a4dc0652a61e4ec71f29d1c1b4e044

SHA512
a190ec98d35c910a79cff84829558ce88530af05460f8cc53abbc36d6f227a61259908d01c0d1fadf0bda336a59f1cc3cc9ab8d5f2f4690425b39d68a558ebee

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\Crasher.mfx

Filesize
32KB

MD5
651aa80793ff0be0e39bd78a992486f8

SHA1
08bd0065fcf2c1f03640734c2b36788d442ebb1f

SHA256
ac9e9bb0408eb5213d67e4e8984c7ee426f4b7d2ae76ff0d998ed28fd4c06f7f

SHA512
3b79fc6608fbe0cdeef88424fdc5ce97c16eabb0ed4492ec6e2337a71178a6fe2a6dc2ff896879ea40f93889276f59169f2d4f6dd41422c8cd1dd1fc8f0a0c34

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\GetSetLanguageLayout.mfx

Filesize
156KB

MD5
4c9b40fff54246d2969b41fa6fb70381

SHA1
5230265e0c19f34ddf93cc71f5b8999e74b021e7

SHA256
7d8f23c177883cdeaf1ffd45ed695aaf272b1bff228032fa081ff39250110e3d

SHA512
76ddc534bbeb3e2220cbe0d990b2ad44764c7b996986ba08b0ac58e8cc2cf27f86e6856476cf65238ad87d282d5bb63ef141a4aced504c32b51f4cf23e48a3c6

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\KcArray.mfx

Filesize
32KB

MD5
924776b6d0a3e7c942ae23f0d0876a3f

SHA1
4ff9ef22193df92fc7f2cba82c9ab1ca1df841c5

SHA256
6d0b3dfb33ca01a0464cf1d26083bdd5c70abd1d89d981f95c5f3cc692b2128b

SHA512
ec7d364328a7aeb69c30fd0934d2641371d60fc2e60da0ca590cfe61da7ca8b4e30d11d7235ad6d5fa921d28ce834f1e08a015cd9ce573cf7ee64fac2a5b19df

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\Key.mfx

Filesize
84KB

MD5
19836ce4fb47847489f3c2c4d14a4a87

SHA1
494f0738dca5a57c66e80ebc888982241b7092c4

SHA256
fa63dd24850b7d06661c3fb1732b82ff77e61d176fa9d358eae0f6039dd5296d

SHA512
bdc14722b6c7ac32385011da16dd15f797e0285b5ef0e04787ca0def17afbdae0f64e638580f31bdb70b21dd92a6a8c027525f6045856bb8700fc2ed3317c20a

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\MultipleTouch.mfx

Filesize
44KB

MD5
e97e84dad3fcfaa2d6eed2dff427ce13

SHA1
00f49dcb73949cffb3728673d26589a1b7203108

SHA256
d9e902472e162c70683387c9891972361fb7d158b1beecb5bff7e3c348e75553

SHA512
26eff56bea83945ffc4ee29a25123c2f8301cbf0a250f72d88451d7087941c5a0638df0b9164c71306158d2d6cd385cabd80ed188457277a546392be239c5108

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\OpenURLs.mfx

Filesize
81KB

MD5
213a3941e576daf3e6f6be616a6643c1

SHA1
55e31d2fb7084a130e4a27fbd433704e3e840b75

SHA256
6d33883fe9a8fcdff9aab0e886d505a38e21a461c713e5ac7b7e0c2a65e934ae

SHA512
310f951c93cb54131bce7e7cdd50225b55a9168ff922e320145f8517cda27d53de55a03ef16aba107cd968a4471d1702b9c3689f5a20f55b786df31d6ab82933

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\Perspective.mfx

Filesize
15KB

MD5
9f064bdcb066daa428db0ed9e33e785d

SHA1
3c0df73cf247ce49d1010fe0e2f722424fe43f4f

SHA256
090925a4cd961f22b1ecd2fba4ce04ab063e26507a1dc09b1d6a40c4860a8777

SHA512
4a510ce13c379e8cb5ccb9f9c69e28e9440f48156c8c4c1fef6987495cace7c028d45530ac961f47786e8f503f90c54310cb1ccf43d7fd584506461c1bd616d5

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\RedRelayClient.mfx

Filesize
416KB

MD5
46b8a621e8bc1e420fe746236e1ccb98

SHA1
962b1c151cd09623513223f587bb19c5692264f0

SHA256
01ed838d0c5c3ea578748f50c68b215832686e304527031bd232a16040b951ee

SHA512
68c7996a3bf15cfb7c9e37382733588610e8fbfecad4d9357822e0cc58473e81b01413588ebf7af2b01811028ee5c9533bf427c22d03c17403b9e75286e30051

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\kcclock.mfx

Filesize
100KB

MD5
4abdbfea6c9627742b7790bb7628e810

SHA1
48b1f7be78265ee174e7632bf8def4fe17e34bd1

SHA256
13161d9797f2c783a7e7fdde97fe3df9c1373919dd2d946db37f94b964e32c75

SHA512
e6997d8d0a830ce66c0e5259126ec54f3d079f2e3f7f2ae0f8fc528399ab8d163f7021d62fb3dac18366674ebb004ff056b8cc156d8dfa5fb56a7a22e9d487a2

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\kcedit.mfx

Filesize
32KB

MD5
2a05ae15cddeac907d56b8c615fdf1b8

SHA1
a8839049e5df3a33e4b8c579a318efa18de8fe5c

SHA256
6a8eeffadb8c98092848a9e400c66744ad345c79ffed01b115ddbbbb89f635f8

SHA512
2b3e30c84b1f905e343a3fce11cafe9ecad41bfe84929bb7d1eea267047349459e47035c8bdee883463c18cfbdf12b1b645d78394e5422a89ebfd73acdc13464

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\kcini.mfx

Filesize
114KB

MD5
75b883bab730e820984dd120279d5528

SHA1
c69f6c155b0784022e446ca81238c8af9f860559

SHA256
d4ab06579bc5ee47da90bfcbfea652f4a829f1c2c842975283411ebf02e5ffc6

SHA512
cb6c85a8b5ec06fe4e770ec92e9ecb84a195f85e04365fb62c47535cd216a0de8978c6add6c1006d4e4b0c9841b4fc719ebbb7ef5a25455b3677ff1ecf543028

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\kcwctrl.mfx

Filesize
80KB

MD5
25b80f6b57703155f567152959397cff

SHA1
8dab472c2647e85a52013e4dd3cc98eb2cc2169d

SHA256
4551791a60dc0d4ee17c8a0fd7ab23fbb0cd688a9cd5f7c97acb962254b1de68

SHA512
2468af21d45456e02d645ad9187c646aeb740e40d35f15295d338cc8a1008095107a84a61a7a1c8f4c944e267372ee48fe1962720ec6eeaf67edbcad318bb6da

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\mmf2d3d9.dll

Filesize
1.1MB

MD5
3ae47534f1224c4797176107a9a41683

SHA1
5c4af10c0afa5233a21a661d7ba9130c808a961d

SHA256
53edf5138930d52b473104ce0d085413248d15a4aa891ac02a718e89625de6ef

SHA512
6dc285765b4726708afaab793b7b384121476fa807114490824a5513c5c80b6278e376dae3b0d82a7360cd65cdbce8d3f60ed23271453a08e2a5af311715e8d3

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\mmfs2.dll

Filesize
498KB

MD5
71e3ecd8c7c74dbb8e6227ee3ecd341b

SHA1
2ce2de1eec3b3a0537efa15a39ee1651869d7aee

SHA256
c6ab2df75ccc58492ebcdfa0b3eade7b44e6b8b1540fc4797f5b11bd39f4f06e

SHA512
0f22e0d0770c99c3f17c87f038250edbaa356e8628ce6e137bb6524b289b658617f28639c5cd7ae5dab2db40f228dcd5bb72b07918ece6b2737785e0e06c2f8d

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\mp3flt.sft

Filesize
24KB

MD5
dadc138be9d36e6e4b8e4bf9ef2de4bc

SHA1
2758db786c544ec7889f26edf9bc4634c9240af0

SHA256
ddeafda7b28bf7545e3ba164aa4a74219eb961c36bb974e0f5085a07daf18f44

SHA512
63a21c5eda225c7fb8a67595c3180d4fdc1bc37d3b45f839e1b562ef946bf5b2237a9ff17c3f6f5de489779bbb9652ac2a1a74b83f153883bd436756acf249e1

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\oggflt.sft

Filesize
130KB

MD5
0c8c1ee3ba92189f4ce21d1b396a2765

SHA1
b7daa4a6e16416151dccbb0a89f304961b6cb627

SHA256
9e589f86317d840df9bb74f6ee20c24ca65afe58f4009740382f63a0f5531941

SHA512
0a4339092ac55bac3b1bdfaaa3401020f8f49918bd2fdb14524f3d558eb840b876aedfdeb54a1da163fa36393abf3fe8ab7e112a34ea9d891e82a22e96c85ddc

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\txtblt.mfx

Filesize
36KB

MD5
8740745e7af7926a0e7d3b194fb51fdf

SHA1
d7688925efd0287334d444a9e4bd584177ed0fbc

SHA256
09a214d9738946b14c4470ea95b45de41641e5d69b7559dbf336f7b4624859b0

SHA512
dc52c25b588f386cceb0eef912e0ac38ffb07443011c957ca3d0fda8c2c6d41e8fbcb33dfc1b7c5ff469216cd8c233d5025b88575bd10684827c18fb5ef52bb3

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\ultimatefullscreen.mfx

Filesize
73KB

MD5
96059dbec69c3904e4d7ce734a4b38d0

SHA1
5169934f8d89b0dba963861dcbae55e78fc21dfc

SHA256
fd179783ff6e6eb0959185087f33ed4a1b256e58762d9817bcb16888e20f7058

SHA512
82977b2c249e47ca37d6fd62f416ed995b4b5f953bc5c18c84bfbdacc2c5b17fdc50c1e736fafcac242a3f8921b5000e0ec84302bc4e0077d6eeee3aa43cc520

Download Submit
\Users\Admin\AppData\Local\Temp\3e68cb21-7e76-45ed-8ce2-f67410d00917.FusionApp\waveflt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
memory/1164-44-0x0000000000380000-0x00000000003AD000-memory.dmp

Filesize
180KB

Download
memory/1164-63-0x0000000000A30000-0x0000000000A86000-memory.dmp

Filesize
344KB

Download
memory/1164-31-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/1164-68-0x0000000000B00000-0x0000000000B26000-memory.dmp

Filesize
152KB

Download
memory/1164-56-0x00000000003C0000-0x00000000003D5000-memory.dmp

Filesize
84KB

Download
memory/1164-78-0x0000000000B60000-0x0000000000B84000-memory.dmp

Filesize
144KB

Download