banload | 3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Size

2.7MB
MD5

f973642b2358732382584ec27bec2d00
SHA1

c27050d9c709e2a5bbe88950f3040462896cc994
SHA256

3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7
SHA512

c0444354c001e4b13b847c972aa780613f3f83c258f80cdbdc8ad387dd17e753d105ee6646c3a84179a63db5961909799d87126f81025ce88494d2db7e86c98b
SSDEEP

49152:vvgr7S8COnATBbOzeHNMmAtMyMpy76wR9KWnE83S78DN2HTbuXw:vv6gxvHN54PWG6wRgu3Ue2cw

Score

10^/10

banload downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1764	804	WerFault.exe	79

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E8AFDDD-866F-1A20-0791-E9702196D840}	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E8AFDDD-866F-1A20-0791-E9702196D840}\ = "MIDI Renderer"	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E8AFDDD-866F-1A20-0791-E9702196D840}\InprocServer32	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E8AFDDD-866F-1A20-0791-E9702196D840}\InprocServer32\ = "C:\\Windows\\SysWOW64\\quartz.dll"	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E8AFDDD-866F-1A20-0791-E9702196D840}\InprocServer32\ThreadingModel = "Both"	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	804	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
Token: SeIncBasePriorityPrivilege	804	3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe

C:\Users\Admin\AppData\Local\Temp\3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe
"C:\Users\Admin\AppData\Local\Temp\3c5f24c50fa79992ff6a4c00a6317925f1fce059914c031e5f0642bc572aa2f7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 1008
  2⤵
  - Program crash
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 804 -ip 804
1⤵
PID:2092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-132-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-134-0x0000000004B80000-0x0000000004D8C000-memory.dmp

Filesize
2.0MB

Download
memory/804-140-0x0000000004B80000-0x0000000004D8C000-memory.dmp

Filesize
2.0MB

Download
memory/804-141-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-142-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-144-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-143-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-145-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-147-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-146-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-148-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-149-0x0000000000400000-0x0000000000886000-memory.dmp

Filesize
4.5MB

Download
memory/804-150-0x0000000004B80000-0x0000000004D8C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads