Analysis
-
max time kernel
62s -
max time network
62s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 16:41
Static task
static1
Behavioral task
behavioral1
Sample
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Resource
win10v2004-20220414-en
General
-
Target
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
-
Size
4.1MB
-
MD5
5b277bb0f8ff910dcc3dd8ac45e95f42
-
SHA1
464690589218f1085cf669a2b4193ac88e931047
-
SHA256
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6
-
SHA512
e14897408966464fb3695af62ffcb6745502938bd4f6cdf3937c43bd0c4449c01cc4767b235d4c2c1c9f6f14c3aa7ec8f8dbbdb7e360fae2670016271b75336d
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
sefvd.exepid process 4720 sefvd.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sefvd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\sefvd.exe" sefvd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC} 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\ = "HandWritingSkinProps Class" 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\ = "%CommonProgramFiles%\\microsoft shared\\ink\\tipskins.dll" 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\ThreadingModel = "Apartment" 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exedescription pid process Token: 33 4828 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe Token: SeIncBasePriorityPrivilege 4828 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exedescription pid process target process PID 4828 wrote to memory of 4720 4828 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe sefvd.exe PID 4828 wrote to memory of 4720 4828 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe sefvd.exe PID 4828 wrote to memory of 4720 4828 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe sefvd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe"C:\Users\Admin\AppData\Local\Temp\020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\sefvd.exe"C:\ProgramData\sefvd.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
155KB
MD51215a123cf0897b8a662bea19d51afac
SHA11b11136950739d6e52ea310d7c48c756ed8cfc5a
SHA256fd4431ca5570e600b2d0982e92a40b5cbde8b206460e7ad8d344ce5347fe7add
SHA512f6ca511033955577bc2bf4cf17e5bccdc0d8b6bc1fb01c60cfb0da3487764bb3ffc5b6cb82f1e0dab3b0e0663dcae72bb7f817491ba35e9c17e2ad707e2b91fd
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
167KB
MD50e73f33a55525624e9e0a4e543a1feaf
SHA1da524966eac1671b63d32bb5d9a60525a9089ef4
SHA2565d6cbbf5f7eaaa0eb86e8543f0d4c3791b6b495661115ca40f921f02600aa2cc
SHA512d69b913892a3c47108964ac986ba0abc1cbdb6bfc0fa482be3666d5f0249b6c13ef7e5bfd2d4fa67d6b767f8184d17697ece3dc2f9ac8df7239fdfbb4f61262a
-
C:\ProgramData\Saaaalamm\Mira.hFilesize
137KB
MD51b06ba0bfa20321feef1155721a60928
SHA196fa5b7176b98f82d3925f6bcab850b870982894
SHA25604b17bfc75bb1dcc9483b712b4d17422301adb5ac43c8f9fde800a7d39b3d87f
SHA5126145c5fca80972355627c8600bf911c6f93040b7eebd961e708d55f21a05268c3332e4b5c3eb781c8575a8d4c3ca7fb1f83d8085b62f98794f1383d98cf9aee2
-
C:\ProgramData\sefvd.exeFilesize
137KB
MD572919c2fd110c2a33c2c993be729e10d
SHA1119a9f52a300fcf82201c43cc435def01ec89cc8
SHA25604c16d334441f7a2433b5cba7d4470966684ddbe845f42785ef18b214dbf1264
SHA512950357d66d765f8b8d0e94948aba431484c1fa1247bfee55d34ad48dc27d739e642c3c897cee59a4e3af33784dae1e9308091a570944d916221474b71a7d67c5
-
C:\ProgramData\sefvd.exeFilesize
113KB
MD506af1c0f9475ca858b743295a0b3bcbe
SHA14f4ed4783d384451b99292886c7f1c67b178dca7
SHA256cb5ce13f2daf2685cec4ee04d2da5d16cc939aecf30fefc1d0fcdfff003ece36
SHA512a77ce694ebeabf29915ea9b83dac13cb9e14a52db7b7096c41f0d94b2e103da7016c58e92703bae18591fdaa8435e6e06df7697cafeb19b0fe22b5ec97a9b141
-
memory/4720-141-0x0000000000000000-mapping.dmp
-
memory/4828-131-0x0000000004B90000-0x0000000004D9C000-memory.dmpFilesize
2.0MB
-
memory/4828-137-0x0000000004B90000-0x0000000004D9C000-memory.dmpFilesize
2.0MB
-
memory/4828-138-0x0000000000400000-0x000000000069E000-memory.dmpFilesize
2.6MB
-
memory/4828-140-0x0000000000400000-0x000000000069E000-memory.dmpFilesize
2.6MB
-
memory/4828-139-0x0000000000400000-0x000000000069E000-memory.dmpFilesize
2.6MB