Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2023 04:29
Static task
static1
Behavioral task
behavioral1
Sample
77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039.dll
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039.dll
Resource
win10v2004-20231023-en
General
-
Target
77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039.dll
-
Size
3.1MB
-
MD5
f012e8ea8ee694e126b2ab5ed44e5961
-
SHA1
f7820baa6ef2c9c5265f062a47bd05b2249f41b1
-
SHA256
77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039
-
SHA512
599bc58034eb336262fe0040cb300012206620e8d6007b9e423d2a10d743f367f0556dafe5058e00b7402d29e4d87d256513ffa1463d012571f77db6c4b46a24
-
SSDEEP
49152:WlNRTtP4Nngs1sOTLuDJE1L3PyV2jGoVDn99c1/0VXz4YQADDvisA7ul:UVA+JEtk2yuDnu0VXz4YZDit
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
regsvr32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate regsvr32.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32\ = "C:\\Windows\\System32\\shell32.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Modifies registry class 52 IoCs
Processes:
regsvr32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib\ = "{20216402-AE2E-4A01-81A1-0F0BA89F8885}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\ProgID\ = "NoteFavorites2021.Connect.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib\ = "{20216402-AE2E-4A01-81A1-0F0BA89F8885}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib\ = "{20216402-AE2E-4A01-81A1-0F0BA89F8885}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect.1\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect.1\CLSID\ = "{20216401-AE2E-4A01-81A1-0F0BA89F8885}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\ = "IConnect" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\ = "Note Gem - Favorites Tab 2021 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\ = "By value marshaled conflict interrupt" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect\CurVer\ = "NoteFavorites2021.Connect.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\ = "Connect Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\77f781aa7ce208fb02ae9acbc27caa527fb3050aebd6435dad3912bb2e9e7039.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect\CLSID\ = "{20216401-AE2E-4A01-81A1-0F0BA89F8885}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\AppID = "{20216401-AE2E-4A01-81A1-0F0BA89F8885}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NoteFavorites2021.Connect.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20216401-AE2E-4A01-81A1-0F0BA89F8885}\VersionIndependentProgID\ = "NoteFavorites2021.Connect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\ = "IConnect" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54659997-AE7E-9524-DC29-D79920BCD584}\InProcServer32\ = "C:\\Windows\\System32\\shell32.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20216402-AE2E-4A01-81A1-0F0BA89F8885}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20216403-AE2E-4A01-81A1-0F0BA89F8885}\TypeLib regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
regsvr32.exedescription pid process Token: 33 1956 regsvr32.exe Token: SeIncBasePriorityPrivilege 1956 regsvr32.exe