Malware Analysis Report

2024-10-16 03:33

Sample ID 240416-r8kmcaed4s
Target 2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia
SHA256 0d61072b68bd99ded6712167e8a225c7f5f7a35634f527dd24b23d3ea54fc33f
Tags
banload downloader dropper trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d61072b68bd99ded6712167e8a225c7f5f7a35634f527dd24b23d3ea54fc33f

Threat Level: Known bad

The file 2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia was found to be: Known bad.

Malicious Activity Summary

banload downloader dropper trojan

Banload

Checks BIOS information in registry

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 14:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 14:51

Reported

2024-04-16 14:54

Platform

win7-20240221-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe"

Signatures

Banload

trojan dropper downloader banload

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\ProgID\ = "ScriptletHandler.Behavior" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C} C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\ = "Constructor for Scriptlet Behavior Handler" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe"

Network

N/A

Files

memory/2060-1-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-0-0x0000000002650000-0x000000000285D000-memory.dmp

memory/2060-8-0x0000000002650000-0x000000000285D000-memory.dmp

memory/2060-13-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-14-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-15-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-16-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-17-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-18-0x0000000002650000-0x000000000285D000-memory.dmp

memory/2060-20-0x0000000002650000-0x000000000285D000-memory.dmp

memory/2060-22-0x0000000000400000-0x0000000000694000-memory.dmp

memory/2060-23-0x0000000002650000-0x000000000285D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 14:51

Reported

2024-04-16 14:54

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe"

Signatures

Banload

trojan dropper downloader banload

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C} C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\ = "Microsoft Word 6.0 - 7.0 Picture" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\AutoConvertTo\ = "{00020907-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\NotInsertable\ C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\TreatAs\ = "{00020906-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\AutoConvertTo C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE,1" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\NotInsertable C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\ProgID\ = "Word.Picture.6" C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3528EDFF-F245-78C2-7A54-F6C02B30499C}\TreatAs C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-16_b677d26884f0477b7968efc7fdd571ef_mafia.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

memory/948-0-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-2-0x0000000002C60000-0x0000000002E6D000-memory.dmp

memory/948-9-0x0000000002C60000-0x0000000002E6D000-memory.dmp

memory/948-14-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-15-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-16-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-17-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-18-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-19-0x0000000002C60000-0x0000000002E6D000-memory.dmp

memory/948-21-0x0000000002C60000-0x0000000002E6D000-memory.dmp

memory/948-23-0x0000000000400000-0x0000000000694000-memory.dmp

memory/948-24-0x0000000002C60000-0x0000000002E6D000-memory.dmp