Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 01:47
Static task
static1
Behavioral task
behavioral1
Sample
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe
Resource
win10v2004-20230915-en
General
-
Target
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe
-
Size
4.4MB
-
MD5
c56c5a79377a4cd550888a9701e8e0a9
-
SHA1
60f9492b5e6fb3f8eae7c6f958e489708e898bba
-
SHA256
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074
-
SHA512
8b9897df8ade413ab5f59831a2b4d41e025cca1350ac8a6512750753b42694fdce33cb3de1de53a8284ff3819257730485b9afbe6a55d873a9b5c8da3e9464bc
-
SSDEEP
49152:raCYUCCvVWr3dvtwRTdCvOw+FtMyMpy7cxnz2Wv0D098YYsXNF4jgDvoaqsKwfcU:rHYUCCvcr3dv7OwYPWGSp0w98SNOgDY
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe -
Modifies registry class 17 IoCs
Processes:
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InprocServer32\ThreadingModel = "Both" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\VersionIndependentProgID\ = "BDATuner.ATSCChannelTuneRequest" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352} 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\TypeLib 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Version 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\VersionIndependentProgID 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ = "BDA Tuning Model ATSC Channel Tune Request" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ProgID 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Programmable 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Version\ = "1.0" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296} 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InprocServer32 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ProgID\ = "BDATuner.ATSCChannelTuneRequest.1" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\TypeLib\ = "{9B085638-018E-11D3-9D8E-00C04F72D980}" 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Implemented Categories 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exepid process 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exedescription pid process Token: 33 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe Token: SeIncBasePriorityPrivilege 1196 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe"C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196