banload | 020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6

General

Target

020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Size

4.1MB
MD5

5b277bb0f8ff910dcc3dd8ac45e95f42
SHA1

464690589218f1085cf669a2b4193ac88e931047
SHA256

020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6
SHA512

e14897408966464fb3695af62ffcb6745502938bd4f6cdf3937c43bd0c4449c01cc4767b235d4c2c1c9f6f14c3aa7ec8f8dbbdb7e360fae2670016271b75336d

Score

10^/10

banload downloader dropper evasion persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

sefvd.exe

pid process

4720 sefvd.exe

pid	process
4720	sefvd.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

sefvd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\sefvd.exe"	sefvd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 5 IoCs

Processes:

020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\ = "HandWritingSkinProps Class"	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\ = "%CommonProgramFiles%\\microsoft shared\\ink\\tipskins.dll"	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\ThreadingModel = "Apartment"	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

description	pid	process
Token: 33	4828	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
Token: SeIncBasePriorityPrivilege	4828	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe

description	pid	process	target process
PID 4828 wrote to memory of 4720	4828	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe	sefvd.exe
PID 4828 wrote to memory of 4720	4828	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe	sefvd.exe
PID 4828 wrote to memory of 4720	4828	020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe	sefvd.exe

C:\Users\Admin\AppData\Local\Temp\020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe
"C:\Users\Admin\AppData\Local\Temp\020e1fb674fb198702e16ede5a47bc7c05d9bd435bdc4d0e2ec121cb53daa3f6.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828

C:\ProgramData\sefvd.exe
"C:\ProgramData\sefvd.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Saaaalamm\Mira.h
Filesize
155KB

MD5
1215a123cf0897b8a662bea19d51afac

SHA1
1b11136950739d6e52ea310d7c48c756ed8cfc5a

SHA256
fd4431ca5570e600b2d0982e92a40b5cbde8b206460e7ad8d344ce5347fe7add

SHA512
f6ca511033955577bc2bf4cf17e5bccdc0d8b6bc1fb01c60cfb0da3487764bb3ffc5b6cb82f1e0dab3b0e0663dcae72bb7f817491ba35e9c17e2ad707e2b91fd

Download Submit
C:\ProgramData\Saaaalamm\Mira.h
Filesize
167KB

MD5
0e73f33a55525624e9e0a4e543a1feaf

SHA1
da524966eac1671b63d32bb5d9a60525a9089ef4

SHA256
5d6cbbf5f7eaaa0eb86e8543f0d4c3791b6b495661115ca40f921f02600aa2cc

SHA512
d69b913892a3c47108964ac986ba0abc1cbdb6bfc0fa482be3666d5f0249b6c13ef7e5bfd2d4fa67d6b767f8184d17697ece3dc2f9ac8df7239fdfbb4f61262a

Download Submit
C:\ProgramData\Saaaalamm\Mira.h
Filesize
137KB

MD5
1b06ba0bfa20321feef1155721a60928

SHA1
96fa5b7176b98f82d3925f6bcab850b870982894

SHA256
04b17bfc75bb1dcc9483b712b4d17422301adb5ac43c8f9fde800a7d39b3d87f

SHA512
6145c5fca80972355627c8600bf911c6f93040b7eebd961e708d55f21a05268c3332e4b5c3eb781c8575a8d4c3ca7fb1f83d8085b62f98794f1383d98cf9aee2

Download Submit
C:\ProgramData\sefvd.exe
Filesize
137KB

MD5
72919c2fd110c2a33c2c993be729e10d

SHA1
119a9f52a300fcf82201c43cc435def01ec89cc8

SHA256
04c16d334441f7a2433b5cba7d4470966684ddbe845f42785ef18b214dbf1264

SHA512
950357d66d765f8b8d0e94948aba431484c1fa1247bfee55d34ad48dc27d739e642c3c897cee59a4e3af33784dae1e9308091a570944d916221474b71a7d67c5

Download Submit
C:\ProgramData\sefvd.exe
Filesize
113KB

MD5
06af1c0f9475ca858b743295a0b3bcbe

SHA1
4f4ed4783d384451b99292886c7f1c67b178dca7

SHA256
cb5ce13f2daf2685cec4ee04d2da5d16cc939aecf30fefc1d0fcdfff003ece36

SHA512
a77ce694ebeabf29915ea9b83dac13cb9e14a52db7b7096c41f0d94b2e103da7016c58e92703bae18591fdaa8435e6e06df7697cafeb19b0fe22b5ec97a9b141

Download Submit
memory/4720-141-0x0000000000000000-mapping.dmp

Download
memory/4828-131-0x0000000004B90000-0x0000000004D9C000-memory.dmp

Filesize
2.0MB

Download
memory/4828-137-0x0000000004B90000-0x0000000004D9C000-memory.dmp

Filesize
2.0MB

Download
memory/4828-138-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/4828-140-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download
memory/4828-139-0x0000000000400000-0x000000000069E000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads