Analysis
-
max time kernel
141s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2023 04:29
Static task
static1
Behavioral task
behavioral1
Sample
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
Resource
win10v2004-20231023-en
General
-
Target
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
-
Size
2.0MB
-
MD5
318a6a47c20714c8e472d37910ea595e
-
SHA1
54951f769b41af876a1989bf3739afb249989a83
-
SHA256
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf
-
SHA512
d41097cf07fbc73bb1f42a6920f5a887ebbdd1173bf5ca68082b912873b16cf509bf7c53f21151320e0de69913b3a8bcdf58355d3be7405eec66d8cb101257ee
-
SSDEEP
49152:ApbRm4GPK/MeCCT+77kpTAd3PlLjoVDn99c1/0VX28YKF7:E1GS/WkUfl3uDnu0VX28YM
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ = "%ProgramFiles%\\Windows Photo Viewer\\PhotoAcq.dll" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ThreadingModel = "Apartment" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe -
Modifies registry class 13 IoCs
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ProgID 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\VersionIndependentProgID 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\VersionIndependentProgID\ = "Microsoft.PhotoProgressDialog" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\TypeLib 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\Version 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ = "%ProgramFiles%\\Windows Photo Viewer\\PhotoAcq.dll" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InprocServer32\ThreadingModel = "Apartment" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584} 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ = "PhotoProgressDialog" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ProgID\ = "Microsoft.PhotoProgressDialog.1" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\Version\ = "1.0" 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exedescription pid process Token: 33 4384 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe Token: SeIncBasePriorityPrivilege 4384 5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe"C:\Users\Admin\AppData\Local\Temp\5e4354d975b8f1543d66ca388e4755d3df3bec54b2a20a31f404934640b1fdbf.exe"1⤵
- Checks BIOS information in registry
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4384