Analysis
-
max time kernel
100s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
19F597D09DFA21BBF8B1BC6A2F4C4B31.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
19F597D09DFA21BBF8B1BC6A2F4C4B31.exe
Resource
win10v2004-20231025-en
General
-
Target
19F597D09DFA21BBF8B1BC6A2F4C4B31.exe
-
Size
3.1MB
-
MD5
19f597d09dfa21bbf8b1bc6a2f4c4b31
-
SHA1
27fb06debcf2623deb5b9b95cba8463df89eca64
-
SHA256
deaba42786b8f39391a64808eb7756221c958413c652817f24bb0e439937aba7
-
SHA512
bd99cfd2a22450cb60170282351518b3dc7bd0c11c29b908f90b0901d2ab1632cfe71ac72ae65d97a4b58d7aeb28d41e46688c7a878afcec8fbc0f78224b73fa
-
SSDEEP
49152:BvjLo6O9TPfbxVt4gsVzxau1d9U8VxucHK6nI2WF3MXzU3Pr2DTg3ViZffgVgDkg:Bv0fbbt4gsVzxau1d9DxujRFcjUfTVqD
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
19F597D09DFA21BBF8B1BC6A2F4C4B31.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe -
Modifies registry class 16 IoCs
Processes:
19F597D09DFA21BBF8B1BC6A2F4C4B31.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\InprocServer32\ThreadingModel = "both" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\VersionIndependentProgID\ = "PLA.TraceSession" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\ = "TraceSession" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\AppID = "{03837503-098b-11d8-9414-505054503030}" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\ProgID\ = "PLA.TraceSession.1" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\VersionIndependentProgID 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\InprocServer32 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\Version\ = "1.0" 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7} 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\LocalServer32 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\ProgID 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\TypeLib 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C3BCFCD2-60C9-A88A-0991-6EC4230985A7}\Version 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
19F597D09DFA21BBF8B1BC6A2F4C4B31.exedescription pid process Token: 33 4984 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe Token: SeIncBasePriorityPrivilege 4984 19F597D09DFA21BBF8B1BC6A2F4C4B31.exe