banload | 5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6

General

Target

5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Size

3.1MB
MD5

861b8699461ffd73f466c44bd951189c
SHA1

9ed297c55ebac055c42b8b245f85317f56791f0b
SHA256

5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6
SHA512

0147ebf599131afb292c181a202929375739cbce490b566e3bb44588c9d7cd871ad6b385eb4d8e44c9383090a6764fd881940012898a703c06a226dcee96441a
SSDEEP

49152:R5+dm/qVi2SPTXcwB9NWIqHM68B1ECYJgkOsm4txzZ15tU:R5t/uiPcU9NWIqs68B+5J7m0xltU

Score

10^/10

banload downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe

Modifies registry class 14 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE,1"	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\ = "Microsoft Word 6.0 - 7.0 Document"	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\AutoConvertTo	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\PersistentHandler	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\TreatAs	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\AutoConvertTo\ = "{00020906-0000-0000-C000-000000000046}"	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\ProgID\ = "Word.Document.6"	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\TreatAs\ = "{00020906-0000-0000-C000-000000000046}"	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\NotInsertable\	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\ProgID	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\DefaultIcon	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A6DF0E1-9BDE-5C22-E830-370D178B66F2}\NotInsertable	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3896	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
Token: SeIncBasePriorityPrivilege	3896	5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe

C:\Users\Admin\AppData\Local\Temp\5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe
"C:\Users\Admin\AppData\Local\Temp\5fa2e69dcf6bd4d63d4a32ad1cfc6faba84114493009f20f93bccf10ee9c67a6.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3896-0-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/3896-2-0x0000000002C00000-0x0000000002E01000-memory.dmp

Filesize
2.0MB

Download
memory/3896-8-0x0000000002C00000-0x0000000002E01000-memory.dmp

Filesize
2.0MB

Download
memory/3896-14-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/3896-16-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/3896-18-0x0000000002C00000-0x0000000002E01000-memory.dmp

Filesize
2.0MB

Download
memory/3896-17-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/3896-15-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/3896-13-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download
memory/3896-20-0x0000000002C00000-0x0000000002E01000-memory.dmp

Filesize
2.0MB

Download
memory/3896-22-0x0000000000400000-0x00000000008AA000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing