banload | 123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903

General

Target

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Size

1.8MB
MD5

682d07435d78ad89a7da2de6813c7fc2
SHA1

a5fe9a8d5406bfe2a27213f440019609d5c2156a
SHA256

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903
SHA512

bed222a26a7772d5f87f1ae53ae3bf8b973ab1264857fa4b49b730212ac8b051e5e58e0ba23b1465c4e75588673211829979193e8ec8dfd02d1e428b74ea9602
SSDEEP

49152:dpAxH1HOLShOPbFad10n7TsHe8AtU/zFck29+Y:dpif0Jad1fFAIFp29t

Score

10^/10

banload downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Modifies registry class 14 IoCs

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ = "Windows Script Host Network Object"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\VersionIndependentProgID\ = "WScript.Network"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\Implemented Categories	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InProcServer32\ = "C:\\Windows\\SysWOW64\\wshom.ocx"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InProcServer32\ThreadingModel = "Apartment"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\Programmable	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ProgID\ = "WScript.Network.1"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\TypeLib	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\TypeLib\ = "{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InProcServer32	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ProgID	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\VersionIndependentProgID	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	pid	process
Token: 33	888	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Token: SeIncBasePriorityPrivilege	888	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Token: 33	888	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Token: SeIncBasePriorityPrivilege	888	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	pid	process	target process
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 1628 wrote to memory of 888	1628	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
"C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
"C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe"
2⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:888

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-73-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/888-67-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/888-57-0x0000000000519000-0x000000000051A000-memory.dmp

Filesize
4KB

Download
memory/888-59-0x0000000002910000-0x0000000002B14000-memory.dmp

Filesize
2.0MB

Download
memory/888-69-0x0000000002910000-0x0000000002B14000-memory.dmp

Filesize
2.0MB

Download
memory/888-76-0x0000000002910000-0x0000000002B14000-memory.dmp

Filesize
2.0MB

Download
memory/888-55-0x0000000000000000-mapping.dmp

Download
memory/888-68-0x0000000002910000-0x0000000002B14000-memory.dmp

Filesize
2.0MB

Download
memory/888-74-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/888-70-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/888-71-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/888-72-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/1628-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1628-65-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/1628-75-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/1628-66-0x0000000002840000-0x0000000002A9A000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads