Analysis
-
max time kernel
118s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
08-11-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
19F597D09DFA21BBF8B1BC6A2F4C4B31.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
19F597D09DFA21BBF8B1BC6A2F4C4B31.exe
Resource
win10v2004-20231025-en
General
-
Target
19F597D09DFA21BBF8B1BC6A2F4C4B31.exe
-
Size
3.1MB
-
MD5
19f597d09dfa21bbf8b1bc6a2f4c4b31
-
SHA1
27fb06debcf2623deb5b9b95cba8463df89eca64
-
SHA256
deaba42786b8f39391a64808eb7756221c958413c652817f24bb0e439937aba7
-
SHA512
bd99cfd2a22450cb60170282351518b3dc7bd0c11c29b908f90b0901d2ab1632cfe71ac72ae65d97a4b58d7aeb28d41e46688c7a878afcec8fbc0f78224b73fa
-
SSDEEP
49152:BvjLo6O9TPfbxVt4gsVzxau1d9U8VxucHK6nI2WF3MXzU3Pr2DTg3ViZffgVgDkg:Bv0fbbt4gsVzxau1d9DxujRFcjUfTVqD
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
19F597D09DFA21BBF8B1BC6A2F4C4B31.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe -
Modifies registry class 5 IoCs
Processes:
19F597D09DFA21BBF8B1BC6A2F4C4B31.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7} 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\ = "Csc Sync" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\InProcServer32 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\InProcServer32\ThreadingModel = "Apartment" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
19F597D09DFA21BBF8B1BC6A2F4C4B31.exedescription pid process Token: 33 2584 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Token: SeIncBasePriorityPrivilege 2584 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe