Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
24-10-2023 04:29
Static task
static1
Behavioral task
behavioral1
Sample
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
Resource
win10v2004-20231023-en
General
-
Target
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
-
Size
2.0MB
-
MD5
318a6a47c20714c8e472d37910ea595e
-
SHA1
54951f769b41af876a1989bf3739afb249989a83
-
SHA256
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf
-
SHA512
d41097cf07fbc73bb1f42a6920f5a887ebbdd1173bf5ca68082b912873b16cf509bf7c53f21151320e0de69913b3a8bcdf58355d3be7405eec66d8cb101257ee
-
SSDEEP
49152:ApbRm4GPK/MeCCT+77kpTAd3PlLjoVDn99c1/0VX28YKF7:E1GS/WkUfl3uDnu0VX28YM
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ = "C:\\Windows\\System32\\CPFilters.dll" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ThreadingModel = "Both" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe -
Modifies registry class 5 IoCs
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584} 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ = "PBDA DTFilter" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ = "C:\\Windows\\System32\\CPFilters.dll" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ThreadingModel = "Both" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription pid process Token: 33 2516 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Token: SeIncBasePriorityPrivilege 2516 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe"C:\Users\Admin\AppData\Local\Temp\5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe"1⤵
- Checks BIOS information in registry
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2516