Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2023 04:29
Static task
static1
Behavioral task
behavioral1
Sample
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
Resource
win10v2004-20231020-en
General
-
Target
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
-
Size
2.1MB
-
MD5
1733049ca883f6e64071bca49731f581
-
SHA1
dc465e4b5a2c8a9b467166660aa6417137507b20
-
SHA256
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b
-
SHA512
531209cdab4bdfc02978c1ac3e89bd66f69a8edec3e3eed82e3d40cb581fc5cba9ab6ac88b5681cc402bddd12af772ee149111886a4a0a9c4c57a0969690a698
-
SSDEEP
49152:+MUSWPePiTGrTlOS+CXunD68B1ECYJgkbn7:+MaPwi6OVCXunD68B+5J1
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe -
Modifies registry class 5 IoCs
Processes:
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32\ThreadingModel = "Both" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584} 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ = "CCellularExternalEventHelper" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32\ = "C:\\Windows\\SysWOW64\\MbaeApi.dll" 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exedescription pid process Token: 33 3008 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe Token: SeIncBasePriorityPrivilege 3008 33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe"C:\Users\Admin\AppData\Local\Temp\33ddf17e4bb2b8f61a58f4eb88461bc0e97b63f708d076e5daea22394c88d12b.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3008