banload | 2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617

General

Target

2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Size

2.3MB
MD5

fa003936193d44f064e0f207afa24cac
SHA1

cdb5ab3b13d11539e01a4f2dadcc2ca6fcb8d534
SHA256

2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617
SHA512

30bd4c66733ec1ac455292e78f55c404c8a9f53d96a8bd4022abbcb3d4469dd813e6fd663b9111c9167151309a66ae38a2b45527906d38aca5eca90d282346c4
SSDEEP

49152:YOENIVuFmrWrTrddBLlWP7Tq68B1ECYJgkbft9AmZea+:YOWI0FmAdrLlWP7268B+5J9XAmZeR

Score

10^/10

banload downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\InprocServer32	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\InprocServer32\ThreadingModel = "Apartment"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\ProgID	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\TypeLib	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\Version\ = "1.0"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\Version	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\VersionIndependentProgID	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\VersionIndependentProgID\ = "Microsoft.PhotoAcqDropTarget"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\ = "PhotoAcqDropTarget"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4CFC7437-8789-28A2-AFD5-5B21A6CC4FB2}\ProgID\ = "Microsoft.PhotoAcqDropTarget.1"	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2616	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
Token: SeIncBasePriorityPrivilege	2616	2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe

C:\Users\Admin\AppData\Local\Temp\2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe
"C:\Users\Admin\AppData\Local\Temp\2a6b054c3052544003da8ab20ea92cdb523f9785d76c7590d5d8707f2e259617.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2616-0-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-1-0x0000000002540000-0x0000000002741000-memory.dmp

Filesize
2.0MB

Download
memory/2616-7-0x0000000002540000-0x0000000002741000-memory.dmp

Filesize
2.0MB

Download
memory/2616-8-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-9-0x0000000002540000-0x0000000002741000-memory.dmp

Filesize
2.0MB

Download
memory/2616-13-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-14-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-15-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-16-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-17-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-18-0x0000000002540000-0x0000000002741000-memory.dmp

Filesize
2.0MB

Download
memory/2616-20-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2616-21-0x0000000002540000-0x0000000002741000-memory.dmp

Filesize
2.0MB

Download
memory/2616-22-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download
memory/2616-24-0x0000000000400000-0x00000000006F0000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing