Analysis
-
max time kernel
152s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2023 05:27
Static task
static1
Behavioral task
behavioral1
Sample
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe
Resource
win10v2004-20231023-en
General
-
Target
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe
-
Size
3.0MB
-
MD5
b8638cdb7a22b2553b8ef8a042b15719
-
SHA1
8eb74ad7dac04a206c6973c79c0e8b1a1661e3d5
-
SHA256
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e
-
SHA512
14f2bf7fe4f4c06432b37bcef57c50393212697c4b4b4bc572de2bb530e89310666736993583bee7def7cb65293f32041803f0bcaf8fb4ad1c6dadd22e969123
-
SSDEEP
49152:/pbRm4GPK/Ma2XWsTUePHnCQiRC/3poVDn99c1/0VX+me8xSZ15tL:h1GS/SWcH4g/5uDnu0VX+mzxMtL
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\InprocServer32 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\InprocServer32\ = "%SystemRoot%\\System32\\InternetMailCsp.dll" 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\InprocServer32\ThreadingModel = "Both" 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe -
Modifies registry class 4 IoCs
Processes:
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\InprocServer32\ThreadingModel = "Both" 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2} 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\InprocServer32 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\InprocServer32\ = "%SystemRoot%\\System32\\InternetMailCsp.dll" 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exesvchost.exedescription pid process Token: 33 3624 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Token: SeIncBasePriorityPrivilege 3624 29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe Token: SeManageVolumePrivilege 3708 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe"C:\Users\Admin\AppData\Local\Temp\29a171d1d4c17ff97b1ce9251f26489bad380babd8723c558de500b0cdc4c01e.exe"1⤵
- Checks BIOS information in registry
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3624
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3708