Analysis Overview
SHA256
d420da458ca2f642d7f541219cc71ddea42f236c7889c04de4733f08d9b89170
Threat Level: Shows suspicious behavior
The file BananaBot.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
VMProtect packed file
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 09:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 09:30
Reported
2024-06-29 09:33
Platform
win10v2004-20240611-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BananaBot.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| N/A | N/A | C:\Windows\ja-JP\System.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\fontdrvhost.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\5b884080fd4f94 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\gmp-clearkey\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\gmp-clearkey\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ja-JP\System.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| File created | C:\Windows\ja-JP\27d1bcfc3c54e0 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| File created | C:\Windows\PLA\Rules\sppsvc.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| File created | C:\Windows\PLA\Rules\0a1fd5f707cd16 | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ja-JP\System.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\ja-JP\System.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BananaBot.exe
"C:\Users\Admin\AppData\Local\Temp\BananaBot.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe
cola.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8aTcuQgj5N.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:8
C:\Windows\ja-JP\System.exe
"C:\Windows\ja-JP\System.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 217.28.222.194:80 | 217.28.222.194 | tcp |
| RU | 217.28.222.194:80 | 217.28.222.194 | tcp |
| US | 8.8.8.8:53 | 194.222.28.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| RU | 217.28.222.194:80 | 217.28.222.194 | tcp |
| RU | 217.28.222.194:80 | 217.28.222.194 | tcp |
| RU | 217.28.222.194:80 | 217.28.222.194 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | 36e7c1d659e3073dde6db4bfb5eac618 |
| SHA1 | b4af6a3a5da137515d2eb2c54131d733dfdf72ab |
| SHA256 | cf765bd3468a6787a00fc1b3a66109980e82c857741345ceab81ddfcbb85bd1a |
| SHA512 | 29a4b0a8faf2bdf85f291475b06c1ec7a4dfe805d1ce1bd71f1c3dbf8a7f6323af2e823cf0b51676847603db81b0d6d01d146040fec3c8ed73de29a8046dc181 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cola.exe
| MD5 | cb82a3529a3b74bcbcdc52c92880c2bd |
| SHA1 | c1ab84d9771c26141348e5ce618ba78884e0f47e |
| SHA256 | a954630e294cbeec12bb7e858accc68d6191ce5a004c1c2806f8ffbf246c0dce |
| SHA512 | 5403816bfe36f3745ed5c8182aceefc2be7eec86fd64982aa8a3b849b05471da948e26f92441a5e459b3fc09357eb8111fc738109e1e7e9760d48f89271205f1 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lpobnta.exe
| MD5 | 95a81dc75ad154ae28b1d52ccb9acb3a |
| SHA1 | f699e7a5b50d012ca7311733d824e801cf6019e5 |
| SHA256 | b4c7f2ffe3c274332fc7b4edeb4419d0fb73892a65329444a4abd26b064d08ff |
| SHA512 | 30eddb9c5ffbde94dea965cee389a889da2c0c6adc84c29d6415a2f72d31854b8c1e3ff200f609e78659515ce206d3b5318b0f040ce50ee8cea35a24432fee06 |
memory/3184-22-0x0000000000130000-0x00000000003EC000-memory.dmp
memory/3184-24-0x000000001AF80000-0x000000001AF8E000-memory.dmp
memory/3184-26-0x000000001AFB0000-0x000000001AFCC000-memory.dmp
memory/3184-27-0x000000001B360000-0x000000001B3B0000-memory.dmp
memory/3184-29-0x000000001AFD0000-0x000000001AFE8000-memory.dmp
memory/3184-31-0x000000001AF90000-0x000000001AF9E000-memory.dmp
memory/3184-33-0x000000001AFA0000-0x000000001AFAC000-memory.dmp
memory/3184-35-0x000000001AFF0000-0x000000001AFFE000-memory.dmp
memory/3184-37-0x000000001B000000-0x000000001B00E000-memory.dmp
memory/3184-39-0x000000001B010000-0x000000001B01C000-memory.dmp
memory/3184-55-0x000000001B4B0000-0x000000001B559000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8aTcuQgj5N.bat
| MD5 | d24d9c72a5eb96afa6a3e08dd5e9a7ed |
| SHA1 | 1a5db7852c70995ef11f1572b3fe0284bd8dfa03 |
| SHA256 | 14e4a52106ef4dee0347bf5cc8dead26021d8180140d506d599c6acea36ae7a1 |
| SHA512 | 3fb245c830d3abb040c8c7a91aed56ff0f274f5923053a30800a63ab341bcdb381e34f292eab984cf04413c229285b2a1979000d821334a7605a356038000276 |
memory/2708-68-0x000000001BE30000-0x000000001BED9000-memory.dmp