Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
24-10-2023 04:29
Static task
static1
Behavioral task
behavioral1
Sample
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
Resource
win10v2004-20231020-en
General
-
Target
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
-
Size
2.1MB
-
MD5
1733049ca883f6e64071bca49731f581
-
SHA1
dc465e4b5a2c8a9b467166660aa6417137507b20
-
SHA256
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b
-
SHA512
531209cdab4bdfc02978c1ac3e89bd66f69a8edec3e3eed82e3d40cb581fc5cba9ab6ac88b5681cc402bddd12af772ee149111886a4a0a9c4c57a0969690a698
-
SSDEEP
49152:+MUSWPePiTGrTlOS+CXunD68B1ECYJgkbn7:+MaPwi6OVCXunD68B+5J1
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe -
Modifies registry class 11 IoCs
Processes:
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\BCSRuntime.dll" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ProgID 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ProgID\ = "BCSRuntime.AsyncAppartmentCallback.1" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\TypeLib\ = "{98F9F0CA-527D-4b2a-944A-1B99E18670A7}" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\VersionIndependentProgID\ = "BCSRuntime.AsyncAppartmentCallback" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584} 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ = "AsyncAppartmentCallback" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ThreadingModel = "Apartment" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\TypeLib 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\VersionIndependentProgID 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exedescription pid process Token: 33 1964 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Token: SeIncBasePriorityPrivilege 1964 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe"C:\Users\Admin\AppData\Local\Temp\33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1964