27dcecbb8e47c6f20f54466d4f14afade78c9518f614c6555fe64b9f37efb6fd

Analysis

max time kernel
48s
max time network
23s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BonziKill.exe
Size

77.8MB
MD5

97893da3ea0e186290435246020bf018
SHA1

9a898f7e782cde4d1c98793a70faf363627a1596
SHA256

27dcecbb8e47c6f20f54466d4f14afade78c9518f614c6555fe64b9f37efb6fd
SHA512

ea54c3b9011e7ea3e024b88da20de7d282393455b504937e4a48e4a7f963d48391f9bd46cf31fb4ae3e63464f8d9467a48581217cf587fcee1d137e5edf6e9c8
SSDEEP

1572864:B9sZOPS0ils8AkMVmrASKdsOJsyjq8aMHH2iROEu2nqle9T32XeB:7scIovdsYsye3MHHnROEIleZ

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2548	BonziBuddy_original.exe

Loads dropped DLL 5 IoCs

pid	Process
2148	BonziKill.exe
2148	BonziKill.exe
2148	BonziKill.exe
2148	BonziKill.exe
2148	BonziKill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2548	BonziBuddy_original.exe
2548	BonziBuddy_original.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2548	BonziBuddy_original.exe
2548	BonziBuddy_original.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2548	BonziBuddy_original.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2548	2148	BonziKill.exe	28
PID 2148 wrote to memory of 2548	2148	BonziKill.exe	28
PID 2148 wrote to memory of 2548	2148	BonziKill.exe	28
PID 2148 wrote to memory of 2548	2148	BonziKill.exe	28

C:\Users\Admin\AppData\Local\Temp\BonziKill.exe
"C:\Users\Admin\AppData\Local\Temp\BonziKill.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148
- C:\bonzi\BonziBuddy_original.exe
  "C:\bonzi\BonziBuddy_original.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2548

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MASH0001.TMP

Filesize
6KB

MD5
7eccc259af24ba7a5a0638562536068d

SHA1
acd3e0fc2e10dfb2e57efa608a60297efb32e54e

SHA256
2e682f6b72fe7f464da31c01cb4769c8fcf556957405740140394282d4fe0db7

SHA512
7fc719c7c0499efc6eff2594e1e46390a421db4ae6c36c5f8822cccca52cedf6be4d9282e49db246a9533fcb929a70cd4e7a25e09984f69db2c922f6c4ba6f8e

Download Submit
C:\bonzi\BonziBuddy_original.exe

Filesize
126KB

MD5
ff8e3bef2b1c444e59d21d5291c81d96

SHA1
a838dc974a49dc0fad824cedcf794c8c9651d410

SHA256
50a65ffcb48cb6ba99ccf79d855696cfdfb28ff21d0f71666c8fae9dfedf878e

SHA512
b872737dd5f1f114785bf948fa8018aed228be99dafd07bf850bab1a4772564f59ed2cc60faedbf3eaf84f12908e1ed2bf07a526484edc6ded0692ce575e4927

Download Submit
memory/2148-490-0x00000000031C0000-0x000000000322F000-memory.dmp

Filesize
444KB

Download
memory/2148-489-0x00000000031C0000-0x000000000322F000-memory.dmp

Filesize
444KB

Download
memory/2148-499-0x00000000031C0000-0x000000000322F000-memory.dmp

Filesize
444KB

Download
memory/2548-503-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2548-502-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2548-515-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download