banload | c354051e40c306d7a6b0dd860931d6084aea34385b5e4c342281dd92e47bb639

Analysis

max time kernel
39s
max time network
19s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

datainform.scr
Size

1.9MB
MD5

c7e0400dd92745e76a802f62bbdfa258
SHA1

5990ba07cb55111fc5b610b1bd1f1c4d60eaa5fa
SHA256

303b173796a39a53de197d6e2c68bbe3cb0227a4f40c318c6ae329e7ee804c27
SHA512

ed484a9c80908c1d72bae77943a722ebb86f8dc87a80a9f8d6c33b3b616988db26303f14919e16b854a57354b259c9d883ab7662fa5eb04e154963390da194a2
SSDEEP

49152:mXz+6rnxVOib7LBZqRuiyT7QuXEUcfU1fbBULG125Bm:mXz+IxQiHLW8tAsVS5Bm

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	inf.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	inf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	inf.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\videocodec.exe	datainform.scr

Executes dropped EXE 2 IoCs

pid	Process
2672	inf.exe
2916	inf.exe

Loads dropped DLL 3 IoCs

pid	Process
812	datainform.scr
812	datainform.scr
2672	inf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe	datainform.scr

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\ = "Cor IE Security Manager, CorIESecurityManager, CorIESecurityManager 1"	inf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\InprocServer32\ = "mscoree.dll"	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\Server	inf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\Server\ = "mscorld.dll"	inf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\VersionIndependentProgID\ = "CorRegistration.CorIESecurityManager"	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}	inf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\ProgID\ = "CorRegistration.CorIESecurityManager.1"	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\InprocServer32	inf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\InprocServer32\2.0.50727\ImplementedInThisVersion	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\ProgID	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\VersionIndependentProgID	inf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\InprocServer32\ThreadingModel = "Both"	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\InprocServer32\2.0.50727	inf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3EA80258-3EA8-0258-3EA8-02583EA80258}\NotInsertable	inf.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2916	inf.exe
Token: SeIncBasePriorityPrivilege	2916	inf.exe
Token: 33	2916	inf.exe
Token: SeIncBasePriorityPrivilege	2916	inf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 2672	812	datainform.scr	28
PID 812 wrote to memory of 2672	812	datainform.scr	28
PID 812 wrote to memory of 2672	812	datainform.scr	28
PID 812 wrote to memory of 2672	812	datainform.scr	28
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29
PID 2672 wrote to memory of 2916	2672	inf.exe	29

C:\Users\Admin\AppData\Local\Temp\datainform.scr
"C:\Users\Admin\AppData\Local\Temp\datainform.scr" /S
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:812
- C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe
  "C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe
    "C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\inf.exe
      "C:\Users\Admin\AppData\Local\Temp\inf.exe"
      4⤵
      PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe

Filesize
1.1MB

MD5
9454c17d2d2b9d98e56168abaa928e49

SHA1
1c3c8e00e6a404ce342d64f5dfdbffd5189ad1ea

SHA256
60212f09637c2973e79f48f90bb89cf0830cb4c7bf8d2d91b57d12b40b2f99ea

SHA512
7962f57fe2e574a0b3373a0d9b710e99ec32784b691f6809147785687b18c83bd5268eeba7b2fc5e8497d9fa6f92d25887e35ab2e86e6bd8cd45bbd039436588

Download Submit
C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe

Filesize
3.5MB

MD5
4dd8dd8dddfb35fdac4865e397d4c0f7

SHA1
5668e75f54ca1162c430002873678b83039a87ab

SHA256
fb2bd9f8e5dda61809aff08df54f887844e36852ac85f774272412be7e593abe

SHA512
88ffd9b10c2d5515850e35fe989e070048ae9f0099cad0bd8a6cca6b140343bfc09174fe17420cd6e99cd2e36b1e88b53b7a9b25a7c27261fe13ce9b25fec23a

Download Submit
C:\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe

Filesize
3.2MB

MD5
822ca5a8d5b982b2a31cea1dc1d6638a

SHA1
cf188c04ed071724b1f1ef46cf37f4d126ac3b89

SHA256
f907bd33e651bae55f2f21e7ff78db6c86fb4cba1426450c58a402b96872ab33

SHA512
15a58fe7fda04850d842fd8c0f93b70fe22dcd6b422f8f6021f623b4ecf44fe920aaba7a97cbcb96aef2e4ddbf769b72bfa1a45ff7ca29ea9350665f7beb3733

Download Submit
\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe

Filesize
1024KB

MD5
161d5c4030119e5b8a5e9336f341271b

SHA1
e9848b0546393b1f718848f8730f760700ae8cf7

SHA256
6a400092ffa54db0095ad45fce16cb591f165406451e442fed426f5834070b54

SHA512
11a00a6243ecdad70b4eeb0f64fd1dd68b61834e47999ed4b5c7202cc6f128d869b3f9c881c11307ddf56d4e026e7c295f4128591fb030658fd8ef3ebffc71b5

Download Submit
\Program Files (x86)\Ìàêñèìàëüíîå Ñæàòèå\Ìàéêðîñîôò Âîðä\inf.exe

Filesize
3.1MB

MD5
b7ee15188e1fb8f192ba25d4208d474f

SHA1
fb753b0ea49a774faf680f4b90bf2329cb165b0b

SHA256
ded3be3847db9de9e4f3319b326e498f1481d5020235dab086ffed190be50d6b

SHA512
22fa4ace6277fde16e7a2381ec16c07af702194145108ecd7822106946ee6c0fa347db82a84635dce9b5a75805afffa491c5f930c32ac7f42fb39a41962fb56c

Download Submit
\Users\Admin\AppData\Local\Temp\inf.exe

Filesize
1.6MB

MD5
7a140a429670c55831386e558fd9bc60

SHA1
41b839aa2b30176b4794acd8ffc058e438511836

SHA256
568fad14a931796f252e9e5f02cb4326e1fc2b4076f576a019a28f0f6df7263b

SHA512
85e319f056a9d0ea1aaffd46c29a83bf4451058e8f0de3d2378b8255abe92c2915ce9cdeb4c7bddc0b4100edde3cbefa001621b1f67b458de1d7ec6e0b447dd4

Download Submit
memory/812-22-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/812-23-0x0000000003190000-0x00000000035B0000-memory.dmp

Filesize
4.1MB

Download
memory/812-27-0x0000000003190000-0x00000000035B0000-memory.dmp

Filesize
4.1MB

Download
memory/2672-30-0x0000000002810000-0x0000000002C30000-memory.dmp

Filesize
4.1MB

Download
memory/2672-28-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-43-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-31-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-38-0x00000000027A0000-0x00000000029AC000-memory.dmp

Filesize
2.0MB

Download
memory/2916-41-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-42-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-29-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-44-0x00000000027A0000-0x00000000029AC000-memory.dmp

Filesize
2.0MB

Download
memory/2916-45-0x00000000027A0000-0x00000000029AC000-memory.dmp

Filesize
2.0MB

Download
memory/2916-46-0x00000000027A0000-0x00000000029AC000-memory.dmp

Filesize
2.0MB

Download
memory/2916-49-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/2916-50-0x00000000027A0000-0x00000000029AC000-memory.dmp

Filesize
2.0MB

Download
memory/2916-32-0x00000000027A0000-0x00000000029AC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads