Analysis
-
max time kernel
119s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17-08-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
b7edddb3d7041c22515c911b667c0150N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
b7edddb3d7041c22515c911b667c0150N.exe
Resource
win10v2004-20240802-en
General
-
Target
b7edddb3d7041c22515c911b667c0150N.exe
-
Size
1.2MB
-
MD5
b7edddb3d7041c22515c911b667c0150
-
SHA1
3281cf78a8584b1498c064be10d3418bd221b29c
-
SHA256
8f1ede8e647860581f1baa5f3c5eed5d4e8bbfd64ddfe896f9a92106d1ef19f3
-
SHA512
f2a10053bcfffdbf14c7042b069369551e0b974d9524ac4e9ad70656a510e59b095acf391d3660b448da4059ad33537e48a90243df8a70967cfb4edfa7b7c46a
-
SSDEEP
24576:2ryExVz6NBWgLSffv5b8zJE8WipL5Nbs85ak:24aF8KiZ5u
Malware Config
Extracted
bandook
ezeigbo.ddns.net
Signatures
-
Bandook payload 4 IoCs
resource yara_rule behavioral1/memory/2788-8-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral1/memory/2788-11-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral1/memory/2788-10-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook behavioral1/memory/2788-13-0x0000000013140000-0x0000000013B93000-memory.dmp family_bandook -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\KLIM = "C:\\Users\\Admin\\AppData\\Roaming\\KLMS\\klim.exe" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\KLIM = "C:\\Users\\Admin\\AppData\\Roaming\\KLMS\\klim.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2092 set thread context of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7edddb3d7041c22515c911b667c0150N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b7edddb3d7041c22515c911b667c0150N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 PID 2092 wrote to memory of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 PID 2092 wrote to memory of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 PID 2092 wrote to memory of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 PID 2092 wrote to memory of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 PID 2092 wrote to memory of 2788 2092 b7edddb3d7041c22515c911b667c0150N.exe 31 PID 2788 wrote to memory of 2712 2788 b7edddb3d7041c22515c911b667c0150N.exe 32 PID 2788 wrote to memory of 2712 2788 b7edddb3d7041c22515c911b667c0150N.exe 32 PID 2788 wrote to memory of 2712 2788 b7edddb3d7041c22515c911b667c0150N.exe 32 PID 2788 wrote to memory of 2712 2788 b7edddb3d7041c22515c911b667c0150N.exe 32 PID 2788 wrote to memory of 2712 2788 b7edddb3d7041c22515c911b667c0150N.exe 32 PID 2788 wrote to memory of 2416 2788 b7edddb3d7041c22515c911b667c0150N.exe 33 PID 2788 wrote to memory of 2416 2788 b7edddb3d7041c22515c911b667c0150N.exe 33 PID 2788 wrote to memory of 2416 2788 b7edddb3d7041c22515c911b667c0150N.exe 33 PID 2788 wrote to memory of 2416 2788 b7edddb3d7041c22515c911b667c0150N.exe 33 PID 2788 wrote to memory of 2416 2788 b7edddb3d7041c22515c911b667c0150N.exe 33 PID 2788 wrote to memory of 2476 2788 b7edddb3d7041c22515c911b667c0150N.exe 34 PID 2788 wrote to memory of 2476 2788 b7edddb3d7041c22515c911b667c0150N.exe 34 PID 2788 wrote to memory of 2476 2788 b7edddb3d7041c22515c911b667c0150N.exe 34 PID 2788 wrote to memory of 2476 2788 b7edddb3d7041c22515c911b667c0150N.exe 34 PID 2788 wrote to memory of 2476 2788 b7edddb3d7041c22515c911b667c0150N.exe 34 PID 2788 wrote to memory of 2408 2788 b7edddb3d7041c22515c911b667c0150N.exe 35 PID 2788 wrote to memory of 2408 2788 b7edddb3d7041c22515c911b667c0150N.exe 35 PID 2788 wrote to memory of 2408 2788 b7edddb3d7041c22515c911b667c0150N.exe 35 PID 2788 wrote to memory of 2408 2788 b7edddb3d7041c22515c911b667c0150N.exe 35 PID 2788 wrote to memory of 2408 2788 b7edddb3d7041c22515c911b667c0150N.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe"C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe"C:\Users\Admin\AppData\Local\Temp\b7edddb3d7041c22515c911b667c0150N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2408
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5b7edddb3d7041c22515c911b667c0150
SHA13281cf78a8584b1498c064be10d3418bd221b29c
SHA2568f1ede8e647860581f1baa5f3c5eed5d4e8bbfd64ddfe896f9a92106d1ef19f3
SHA512f2a10053bcfffdbf14c7042b069369551e0b974d9524ac4e9ad70656a510e59b095acf391d3660b448da4059ad33537e48a90243df8a70967cfb4edfa7b7c46a