banload | 9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78

General

Target

9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
Size

3.0MB
MD5

1f940e2f51ca26ed781279ef62c15ed6
SHA1

0128493a43ce13652709628437f7142abe60b16b
SHA256

9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78
SHA512

3850bf301d8b925e9fb6c687c552af6d1e81931a9b2a365da0c701fae604457ef9dd287c5648c825e4e2fb522a0f280484c8ff5af745c446a82eaa360ae0f690
SSDEEP

49152:bXz+O50P0qdjy98BXzqPmb07DWkUdbnMxPucadyh5yLAd2TJwWpCRJltFhjW78Qx:bXz+UQxxyqBj4JDWkURi2caobCwWATir

Score

10^/10

banload discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exeupdate_elf.exeupdate_elf.exe

pid process

996 svchost.exe
1480 svchost.exe
832 update_elf.exe
1724 update_elf.exe

pid	process
996	svchost.exe
1480	svchost.exe
832	update_elf.exe
1724	update_elf.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update_elf.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	update_elf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update_elf.exe

Drops startup file 1 IoCs

Processes:

9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\íå ðàññòðàèâàéñÿ.txt	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe

Loads dropped DLL 3 IoCs

Processes:

9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exeupdate_elf.exe

pid	process
1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
832	update_elf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

Processes:

9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
File opened for modification	C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 16 IoCs

Processes:

update_elf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\Class = "Microsoft.Office.Interop.OutlookViewCtl.DataCtlClass"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.OutlookViewCtl, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.OutlookViewCtl.DataCtlClass"	update_elf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\Assembly = "Microsoft.Office.Interop.OutlookViewCtl, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\RuntimeVersion = "v2.0.50727"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\ = "Outlook Today's Data-binding control"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\ProgID\ = "DataCtl.DataCtl.1"	update_elf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\14.0.0.0	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLCTL.DLL"	update_elf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\ProgID	update_elf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\VersionIndependentProgID	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\VersionIndependentProgID\ = "DataCtl.DataCtl"	update_elf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{30695FD4-3069-5FD4-3069-5FD430695FD4}\InprocServer32\ThreadingModel = "Apartment"	update_elf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

update_elf.exe

description	pid	process
Token: 33	1724	update_elf.exe
Token: SeIncBasePriorityPrivilege	1724	update_elf.exe
Token: 33	1724	update_elf.exe
Token: SeIncBasePriorityPrivilege	1724	update_elf.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exesvchost.exeupdate_elf.exe

description	pid	process	target process
PID 1632 wrote to memory of 996	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	svchost.exe
PID 1632 wrote to memory of 996	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	svchost.exe
PID 1632 wrote to memory of 996	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	svchost.exe
PID 1632 wrote to memory of 996	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	svchost.exe
PID 996 wrote to memory of 1480	996	svchost.exe	svchost.exe
PID 996 wrote to memory of 1480	996	svchost.exe	svchost.exe
PID 996 wrote to memory of 1480	996	svchost.exe	svchost.exe
PID 996 wrote to memory of 1480	996	svchost.exe	svchost.exe
PID 996 wrote to memory of 1480	996	svchost.exe	svchost.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 1632 wrote to memory of 832	1632	9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 996 wrote to memory of 1480	996	svchost.exe	svchost.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe
PID 832 wrote to memory of 1724	832	update_elf.exe	update_elf.exe

C:\Users\Admin\AppData\Local\Temp\9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe
"C:\Users\Admin\AppData\Local\Temp\9e160d32d727b4b12519156e8ba8d8ef0f4b697343644bea02bfe87bfa0f5e78.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1632

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:996

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe"
3⤵
- Executes dropped EXE
PID:1480

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
"C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
Filesize
2.2MB

MD5
f3822f3fdb660560c329de615a934d91

SHA1
19c41447d19ffaf4642838ab54c562c7519020cf

SHA256
00bb37849fa4b011d473bc503ad10392baf1787bbb3570f1f72010e04816f7fd

SHA512
a1990e97fca5377ee26ce88ed360d05456b3d8a0685c6bfaf7d54cc41d8cb7eaf7fd115bb063ecee5c562819826bb2a18019644e35025530dabf40b03b71e3b1

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
Filesize
2.2MB

MD5
f3822f3fdb660560c329de615a934d91

SHA1
19c41447d19ffaf4642838ab54c562c7519020cf

SHA256
00bb37849fa4b011d473bc503ad10392baf1787bbb3570f1f72010e04816f7fd

SHA512
a1990e97fca5377ee26ce88ed360d05456b3d8a0685c6bfaf7d54cc41d8cb7eaf7fd115bb063ecee5c562819826bb2a18019644e35025530dabf40b03b71e3b1

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
Filesize
1.8MB

MD5
b389dbde8adc6b322ace14563fb1df65

SHA1
40a571cd08005336290165d8c90a9fa020bb8ba5

SHA256
b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7

SHA512
d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
Filesize
1.8MB

MD5
b389dbde8adc6b322ace14563fb1df65

SHA1
40a571cd08005336290165d8c90a9fa020bb8ba5

SHA256
b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7

SHA512
d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600

Download Submit
C:\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
Filesize
1.8MB

MD5
b389dbde8adc6b322ace14563fb1df65

SHA1
40a571cd08005336290165d8c90a9fa020bb8ba5

SHA256
b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7

SHA512
d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600

Download Submit
\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\svchost.exe
Filesize
2.2MB

MD5
f3822f3fdb660560c329de615a934d91

SHA1
19c41447d19ffaf4642838ab54c562c7519020cf

SHA256
00bb37849fa4b011d473bc503ad10392baf1787bbb3570f1f72010e04816f7fd

SHA512
a1990e97fca5377ee26ce88ed360d05456b3d8a0685c6bfaf7d54cc41d8cb7eaf7fd115bb063ecee5c562819826bb2a18019644e35025530dabf40b03b71e3b1

Download Submit
\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
Filesize
1.8MB

MD5
b389dbde8adc6b322ace14563fb1df65

SHA1
40a571cd08005336290165d8c90a9fa020bb8ba5

SHA256
b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7

SHA512
d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600

Download Submit
\Program Files (x86)\Èíôîðìàöèîííûå Ðåøåíèÿ\Ñïðàâî÷íàÿ èíôîðìàöèÿ!\update_elf.exe
Filesize
1.8MB

MD5
b389dbde8adc6b322ace14563fb1df65

SHA1
40a571cd08005336290165d8c90a9fa020bb8ba5

SHA256
b653e0cdd78c9ab82cc09f6a9b5329b1d485e5b89b433b27d0ab5b4721d570d7

SHA512
d74f929a45fbd8573afaa6a802eacaa20a4d16abce528526f124c708345a180fcfe98cbb34b010fa1cf9e542c87356911222650ae2a63c5074e8382a5aa95600

Download Submit
memory/832-95-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/832-63-0x0000000000000000-mapping.dmp

Download
memory/832-86-0x0000000002650000-0x000000000289A000-memory.dmp

Filesize
2.3MB

Download
memory/832-72-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/996-99-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/996-67-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/996-56-0x0000000000000000-mapping.dmp

Download
memory/1480-97-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/1480-71-0x00000000024B0000-0x00000000026B4000-memory.dmp

Filesize
2.0MB

Download
memory/1480-59-0x0000000000000000-mapping.dmp

Download
memory/1480-70-0x0000000000400000-0x00000000006CA000-memory.dmp

Filesize
2.8MB

Download
memory/1632-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/1632-66-0x0000000003410000-0x00000000036DA000-memory.dmp

Filesize
2.8MB

Download
memory/1632-98-0x0000000003410000-0x00000000036DA000-memory.dmp

Filesize
2.8MB

Download
memory/1724-89-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1724-69-0x0000000000000000-mapping.dmp

Download
memory/1724-90-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1724-91-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1724-92-0x000000000040E000-0x000000000040F000-memory.dmp

Filesize
4KB

Download
memory/1724-93-0x00000000027F0000-0x00000000029F4000-memory.dmp

Filesize
2.0MB

Download
memory/1724-94-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1724-77-0x0000000000519000-0x000000000051A000-memory.dmp

Filesize
4KB

Download
memory/1724-96-0x00000000027F0000-0x00000000029F4000-memory.dmp

Filesize
2.0MB

Download
memory/1724-88-0x00000000027F0000-0x00000000029F4000-memory.dmp

Filesize
2.0MB

Download
memory/1724-87-0x0000000000400000-0x000000000064A000-memory.dmp

Filesize
2.3MB

Download
memory/1724-79-0x00000000027F0000-0x00000000029F4000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads