Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2023 00:19
Static task
static1
Behavioral task
behavioral1
Sample
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe
Resource
win10v2004-20230915-en
General
-
Target
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe
-
Size
2.3MB
-
MD5
752236eed39b3f7f2eea527e6a9f6fa4
-
SHA1
ced1889bcacb52d129ef6cab66613a9c46baf525
-
SHA256
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e
-
SHA512
6f7de5bf48b79f051222359cae88de4ba47fd59d011c7a83071a11a4c9904ab4d6015a7961fa473f77fcfe370605bf64d27a8c12a6fa686c9d86556b1282f05e
-
SSDEEP
49152:AOENIVuFmTWrTrO8rZ2X7d8nI68B1ECYJgkF5HlWAmZea+:AOWI0Fm4OaZ2X7d8I68B+5JmAmZeR
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe -
Modifies registry class 9 IoCs
Processes:
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\Assembly = "office, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\RuntimeVersion = "v2.0.50727" 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410} 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\Class = "Microsoft.Office.Core.CustomXMLSchemaCollectionClass" 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\15.0.0.0 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Core.CustomXMLSchemaCollectionClass" 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\15.0.0.0\Assembly = "office, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E2C3B146-104F-E6F5-3F67-86BEA3A30410}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exedescription pid process Token: 33 4268 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe Token: SeIncBasePriorityPrivilege 4268 494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe"C:\Users\Admin\AppData\Local\Temp\494a3cac87aa6ce2b8024035209a1ed581820414048b345a749be450cf468f3e.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4268