Analysis
-
max time kernel
132s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2023 15:29
Static task
static1
Behavioral task
behavioral1
Sample
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe
Resource
win10v2004-20231023-en
General
-
Target
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe
-
Size
2.2MB
-
MD5
7c4d226a7f57c5dc1b17b1a1f2f6ee9b
-
SHA1
37d9730dd544572fb7713b6fdcb8204773921dca
-
SHA256
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6
-
SHA512
3010049f95261297ab9e0fd4c15a06bf11835c07591cb40c32ff2407587da06aeabecee0bfd36487be07f31f1fb4b400d9e0b95143e4d29a23d0dbad5ef7e345
-
SSDEEP
49152:p2gYP6qky5WWTEPI7loWRBaG68B1ECYJgkh6NVN+:p2fP6DyYPqloWRBN68B+5Jn6NVY
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe -
Modifies registry class 5 IoCs
Processes:
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C492E08-B123-D1CC-7D2D-1D956A015BF3}\ = "IE OpenService Manager" a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C492E08-B123-D1CC-7D2D-1D956A015BF3}\InProcServer32 a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C492E08-B123-D1CC-7D2D-1D956A015BF3}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll" a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C492E08-B123-D1CC-7D2D-1D956A015BF3}\InProcServer32\ThreadingModel = "Apartment" a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C492E08-B123-D1CC-7D2D-1D956A015BF3} a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exedescription pid process Token: 33 3560 a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe Token: SeIncBasePriorityPrivilege 3560 a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe"C:\Users\Admin\AppData\Local\Temp\a1e7648535ccc5a8d07d131da0b49bb2db3d5ef58dff4665bc6ad76efbc6dce6.exe"1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3560