Analysis
-
max time kernel
9s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
24/05/2024, 10:00
General
-
Target
Order details 20160612105629.exe
-
Size
2.4MB
-
MD5
c919f61954ae3fd695c544b81b57cd44
-
SHA1
91485e3debd63f969676b004a01d29ee7ee34350
-
SHA256
66f1bdc2091129f1bc361e606269bd9754b65f00b12613fc8b298bca0568e2f2
-
SHA512
3834eb2cda11830558a73af80d59cde0ef3354f393eb62188ca9de038b277f10f960d591edb3fc9f9678097365bb93f838c3ca1b30bde442e11c4ac05019ba70
-
SSDEEP
49152:IyCUpqemBrMxxniTruyASH1hZWJ61fFEfHOvUHuApND72nq+ilMQc+O/Zi/+r:IyCEq1rWni5ASH1/t51An7f+i2QQi/Q
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order details 20160612105629.exe"C:\Users\Admin\AppData\Local\Temp\Order details 20160612105629.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat" /quiet /passive /norestart"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"4⤵
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob7.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adb03.bat" /quiet /passive /norestart"5⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\dpro1.bat"6⤵
- Adds Run key to start application
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- Gathers network information
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
-
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exeadbr02.exe -f "112.112"6⤵
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr02.exeadbr02.exe -f "112.112"7⤵
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
134B
MD5d6edee498876ed57a4099bc05ce6560d
SHA1234728648cf6070c01ee09186a5fe7eaeeed1a9c
SHA2562762d61aa412a9ae30e7de9fb34f1caaa23b998bf033af591b5af5d7e4bb61c5
SHA512602e3501a2e80f6a29b517ab4fd9a177812feedec8e11e02f63365bd177d8f83b33f3afaa01389390e8b36db46d73c3a10e21c864d62ac108618e3657553a3ae
-
Filesize
4B
MD5959dedb23f3421e58d16c60eff6a367b
SHA17bdb5d6220d393c9020ba05bedeedb7fbb31b6ab
SHA256205549d84f02f8d00a6547a0259b5ce7728d3af0a248cac8a6d3fcda2b287ce0
SHA512c8151442fb6e2f0437550eb3e99f696f9fbd41230ee47d5de41223e2ad62e23bc1e7a05afb05d4a978b147f313fc9220282619d9b0dee594644573be22fbb491
-
Filesize
121B
MD57c37368b3740fb8866cf2086d145827a
SHA19f708242e55326119022b5887e79daad585cd1f3
SHA2568a74ec81af34f3aa55a0a4a52bd84a325cd94bf4b742fafedf360dd263347ca6
SHA5124badc7a21168946eaa422574313594e25694d4de2975344076c1361868d69b861e9cb3a96801942005e62484077aa20b1e940e712796bfd46616d77ab80f0e09
-
Filesize
124KB
MD51a1075e5e307f3a4b8527110a51ce827
SHA1f453838ed21020b7ca059244feea8579e5aa74ef
SHA256ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1
-
Filesize
560B
MD59d87ac4776ba4e29a292f23e5495e606
SHA1253df9f0dca81a2766876c265206a8fb4c3137a9
SHA25614d8eee9761a090c5f5fe79dda8ca9531d400b0b383a2a5680a2dff0b886917a
SHA5123ccf64e3ae4012456c8c94aacf0838a3d277dafbc20e0f093338a863963ffce3b715dba291fe9701c96390242457d8d0cafa834b667c73dca68760aca6447148
-
Filesize
222B
MD5198d2b0736cfc4833acdf49e8cf261dc
SHA105ef064907fbec52a8385367f687a5561731fb37
SHA256c9d4227e54618b900f365342587d5843d23ed22116c089e984f394a6f5ce8006
SHA512089f66c8bf793c357ab85dbbdd5852d9ce097c55153ae2c44f6eb728e06c7ddbd6988f9a0de4348343bc211241104e6dbe726a6478749093d17335427ae9da02
-
Filesize
223B
MD5620e43d3cd51594e6f631e90d9fd8c22
SHA1000e31e9557fa25e9fd94cd51c7b9583d495d3b2
SHA25653540306a6a950f8cbd1e7c9628d5342eb6f3849398fc448b9c5a42c8cabf449
SHA512bcbab8cfbe5a425531c64dfebf5d3c08323c203d9dd74bea08bd955631dda0a7a88a9092f0eb7ae70e4c0221f85c5ca9e360ed03b8e9d0eeacd1a458ab2c38c6
-
Filesize
256KB
MD5e498d1248df22b33ef62ec548f2b76b7
SHA1db53f5f6a7f7d0c36292d641898409dc81efb1c0
SHA256b1d2ee6ddc0b53765d2aa7af44be4531e77fe8eca912854307aeba25e284ada6
SHA5126923fba13a2ef9c5e975134cb27b77074754a22d0363d525c36b7867012c0e06ff4bff9555fcc83be72723f39b19462655de19877c0206fa2d618ad2d1cb3c63
-
Filesize
140B
MD5124cb6324d434946a483e0f2e55d08b0
SHA12a8955feb5919c59221191c94b6191425eda6c6f
SHA256f3b41f2e24a8cd343d71db7d861ad2511690d4ce6020714e5831ddeab5df2637
SHA5129d8c940c4c420f6048ce6bfa67d8d1ce9c7c7392b02a0c500ddbce91ca708f6cd3892c27db9f06bae7e325b39db5f86cb77cbcf168906d3c7444cc7797a178a5
-
Filesize
1KB
MD5743524e8dcafbeb3b1723c1b8b69da1f
SHA1a7410d68a17e91b56f379b647ed87c8f06728564
SHA2566058df5b51469d19a8a386136e2f6caefaa36d8c4a596c5d202f819837f1627a
SHA512d3f0f7b5b6382d5e4228ea9baaa6466a2eb8cd3a00aa9e79683c87a559723a0baab46738e94fce8f3d380758006636e5486a0c6adc3941628b9f37aacc36b5c6
-
Filesize
2.2MB
MD57d56f54e9d29ea8e6b5533bc87db0349
SHA1129cbcf51bc30a690f99d25fb7fc5fa1e910ddc5
SHA25667373f02e2d5cb85f46e2f30de7eb5a4ff9762155baf6d75f3437ef1e9a40c5b
SHA5125f027113bc529b708a348b3c0ae62edaf926ca6fef089fbcef99d2ff43bbe7e229ec2bfe562b50a49b807dcb9834aff164e30c9f410f96da621fdcea09f67a38
-
Filesize
2.2MB
MD5e0c3bf874e08648e65a16fa62b11c735
SHA15e4f96d982cb4c8522befc27dd8779ef681637b3
SHA256fd558458ed917c4be35e4a1b6be608e087ae86eecb280f408b39af112717382d
SHA512b2955a3b36d2002a166e62d459fe028b0b6c727390b9e5b545b683572db244bc8b4ce5bff6cef05509cf8d529caa874c4955708a07ad3f508438fed8ea87c02a
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.0MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
2.8MB
-
Filesize
1024KB
-
Filesize
8KB
-
Filesize
8KB