banload | 123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903

General

Target

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Size

1.8MB
MD5

682d07435d78ad89a7da2de6813c7fc2
SHA1

a5fe9a8d5406bfe2a27213f440019609d5c2156a
SHA256

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903
SHA512

bed222a26a7772d5f87f1ae53ae3bf8b973ab1264857fa4b49b730212ac8b051e5e58e0ba23b1465c4e75588673211829979193e8ec8dfd02d1e428b74ea9602
SSDEEP

49152:dpAxH1HOLShOPbFad10n7TsHe8AtU/zFck29+Y:dpif0Jad1fFAIFp29t

Score

10^/10

banload downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4736 2232 WerFault.exe 123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

pid	pid_target	process	target process
4736	2232	WerFault.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Modifies registry class 9 IoCs

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InprocServer32	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msadox.dll"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ = "ADOX.Group.6.0"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\InprocServer32\ThreadingModel = "Apartment"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ProgID	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\ProgID\ = "ADOX.Group.6.0"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\VersionIndependentProgID	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C231048-7C23-1048-7C23-10487C231048}\VersionIndependentProgID\ = "ADOX.Group.6.0"	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	pid	process
Token: 33	2232	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Token: SeIncBasePriorityPrivilege	2232	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Token: 33	2232	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
Token: SeIncBasePriorityPrivilege	2232	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

description	pid	process	target process
PID 3416 wrote to memory of 2232	3416	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 3416 wrote to memory of 2232	3416	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 3416 wrote to memory of 2232	3416	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 3416 wrote to memory of 2232	3416	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 3416 wrote to memory of 2232	3416	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
PID 3416 wrote to memory of 2232	3416	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe	123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe

C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
"C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe
"C:\Users\Admin\AppData\Local\Temp\123bca439d0b626d18e936d1a2a8eb0df7490130f3f6e8a782c5cb2fa8b11903.exe"
2⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 1228
3⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2232 -ip 2232
1⤵
PID:1940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2232-145-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2232-134-0x0000000000000000-mapping.dmp

Download
memory/2232-136-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2232-137-0x00000000032F0000-0x00000000034F4000-memory.dmp

Filesize
2.0MB

Download
memory/2232-143-0x00000000032F0000-0x00000000034F4000-memory.dmp

Filesize
2.0MB

Download
memory/2232-144-0x00000000032F0000-0x00000000034F4000-memory.dmp

Filesize
2.0MB

Download
memory/2232-146-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2232-147-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2232-148-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/2232-149-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/2232-151-0x00000000032F0000-0x00000000034F4000-memory.dmp

Filesize
2.0MB

Download
memory/3416-133-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download
memory/3416-150-0x0000000000400000-0x000000000065A000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads