banload | 9185716722b68de194c9824edc19aad783e3dddcd9bdcf20248ba81518a45247

Analysis

max time kernel
10s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 21:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Order details 20160616041125.exe
Size

2.3MB
MD5

9e991c33f9efd867b825c2fe4549b5fb
SHA1

a7ba6b2e7ee9065078aa1966fe02e2c68be2776e
SHA256

76b60081e96d6aa0c53ad703aa15ce175b8d92a38984b345898c6a726b769cc3
SHA512

e4221c5ad82a0adc3db3a77cf2dcd27eb9a55c87862b8b952cf8f1510f08f5a34b357f3d5a31c27c6587befec87a784e76095d8c4a3585d7c951453a45a08e0b
SSDEEP

49152:Ic6OpPaFwGDGBO/EaoGgF6zOcpbv16h0VOWJ8KyJ7nUPW7OuQn4b:Ic6OpPaWG8Eoxmtt1IzzKCyng

Score

10^/10

banload downloader dropper evasion persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

adbr01.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adbr01.exe
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2656 attrib.exe
2644 attrib.exe
1268 attrib.exe
3708 attrib.exe
4752 attrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	adbr01.exe

pid	process
2656	attrib.exe
2644	attrib.exe
1268	attrib.exe
3708	attrib.exe
4752	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

adbr01.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adbr01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	adbr01.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Order details 20160616041125.exeWScript.execmd.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Order details 20160616041125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

Processes:

adbr01.exeadbr01.exe

pid process

2892 adbr01.exe
3160 adbr01.exe

pid	process
2892	adbr01.exe
3160	adbr01.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\acro2.bat"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

4980 ipconfig.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
4980	ipconfig.exe

Modifies registry class 9 IoCs

Processes:

adbr01.exeOrder details 20160616041125.execmd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\AutoConvertTo	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\AutoConvertTo\ = "{64818D10-4F9B-11CF-86EA-00AA00B929E8}"	adbr01.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	Order details 20160616041125.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\NotInsertable	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\NotInsertable\	adbr01.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID	adbr01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ProgID\ = "MSPowerPoint"	adbr01.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

Order details 20160616041125.exeWScript.execmd.exeWScript.execmd.exeadbr01.exe

description	pid	process	target process
PID 2692 wrote to memory of 2280	2692	Order details 20160616041125.exe	WScript.exe
PID 2692 wrote to memory of 2280	2692	Order details 20160616041125.exe	WScript.exe
PID 2692 wrote to memory of 2280	2692	Order details 20160616041125.exe	WScript.exe
PID 2280 wrote to memory of 4540	2280	WScript.exe	cmd.exe
PID 2280 wrote to memory of 4540	2280	WScript.exe	cmd.exe
PID 2280 wrote to memory of 4540	2280	WScript.exe	cmd.exe
PID 4540 wrote to memory of 2176	4540	cmd.exe	xcopy.exe
PID 4540 wrote to memory of 2176	4540	cmd.exe	xcopy.exe
PID 4540 wrote to memory of 2176	4540	cmd.exe	xcopy.exe
PID 4540 wrote to memory of 4752	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 4752	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 4752	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 3708	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 3708	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 3708	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 1268	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 1268	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 1268	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2644	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2644	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2644	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2656	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2656	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2656	4540	cmd.exe	attrib.exe
PID 4540 wrote to memory of 2948	4540	cmd.exe	WScript.exe
PID 4540 wrote to memory of 2948	4540	cmd.exe	WScript.exe
PID 4540 wrote to memory of 2948	4540	cmd.exe	WScript.exe
PID 2948 wrote to memory of 1920	2948	WScript.exe	cmd.exe
PID 2948 wrote to memory of 1920	2948	WScript.exe	cmd.exe
PID 2948 wrote to memory of 1920	2948	WScript.exe	cmd.exe
PID 1920 wrote to memory of 2604	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2604	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2604	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 4980	1920	cmd.exe	ipconfig.exe
PID 1920 wrote to memory of 4980	1920	cmd.exe	ipconfig.exe
PID 1920 wrote to memory of 4980	1920	cmd.exe	ipconfig.exe
PID 1920 wrote to memory of 2892	1920	cmd.exe	adbr01.exe
PID 1920 wrote to memory of 2892	1920	cmd.exe	adbr01.exe
PID 1920 wrote to memory of 2892	1920	cmd.exe	adbr01.exe
PID 2892 wrote to memory of 3160	2892	adbr01.exe	adbr01.exe
PID 2892 wrote to memory of 3160	2892	adbr01.exe	adbr01.exe
PID 2892 wrote to memory of 3160	2892	adbr01.exe	adbr01.exe
PID 2892 wrote to memory of 3160	2892	adbr01.exe	adbr01.exe
PID 2892 wrote to memory of 3160	2892	adbr01.exe	adbr01.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2644 attrib.exe
1268 attrib.exe
3708 attrib.exe
4752 attrib.exe
2656 attrib.exe

pid	process
2644	attrib.exe
1268	attrib.exe
3708	attrib.exe
4752	attrib.exe
2656	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Order details 20160616041125.exe
"C:\Users\Admin\AppData\Local\Temp\Order details 20160616041125.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat" /quiet /passive /norestart"
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
      4⤵
      Enumerates system info in registry
      PID:2176
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4752
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3708
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1268
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2644
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2656
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob8.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adb04.bat" /quiet /passive /norestart"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\acro2.bat"
        6⤵
        Adds Run key to start application
        
        PID:2604
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4980
      - C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
        
        adbr01.exe -f "011.011"
        7⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Modifies registry class
        
        PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq

Filesize
121B

MD5
ec564124a9dd31059b46164ddb84bffe

SHA1
5010c1c9b7da9bb0d8d6d23934fc4d46a7e81089

SHA256
aeeb1814d28b517673afae42d08d1410748e94a49fac33b244e774007fa7228d

SHA512
e38dcb337511befdf97eff59042bd5fd3a50e46a06bdb7427c4c3bcf579e74a96b7813729995ece06f317d93d04fd7005ca390be0a1d194012de9644260de439

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe

Filesize
124KB

MD5
1a1075e5e307f3a4b8527110a51ce827

SHA1
f453838ed21020b7ca059244feea8579e5aa74ef

SHA256
ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

SHA512
b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat

Filesize
560B

MD5
7ca9907a39a5965340b7c22135dc0b4b

SHA1
ffa547b05f34b60aa9fd92197d7740ef823595e8

SHA256
fdf72a8ee2666c78ae8e8af7edbbba7ddd3024e5acf92e699240e92bf5c0351e

SHA512
7aee197d2e53ed6efddf4f80c4bc8fd12339b26dba04cc5399ce0033dc08ee5455c0241d07b3f25d813850b1c141049039ef995ba39b8005d5c170c0348f806a

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob8.vbs

Filesize
186B

MD5
1eeddf7db78484775affcf7c4e50559c

SHA1
11019942b7df68db45de8cd4ed7cba472ad53e9c

SHA256
1929cf1c929fddafb469d1ef76d7fd8bedcd60e98799baec7de7daaafc84fe5f

SHA512
68a8172b23b02bf32df607b89e407d848a5d5e234f35e4cb49977d3b40510f7369b61dd6dc800a33cd4e7d04209a5a167e32f751c13cac36bc9a9e7d10b32efb

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs

Filesize
189B

MD5
7194f66abfcf759611a217a29517d6ad

SHA1
8a728a65c45dadf870a55568b305be90f75c3fb9

SHA256
90e01faf3bf9434e5e08aa7a53e2bc57b30ccdab9d380b52ae6b22d5dd59674d

SHA512
e88b322bff61ed8cfde0d3039ced1bc2c913b5d6b27b6bfd6dd4b00eabfb93fb17fd87140eaab2b9c4e8493a7501f715a6c348a04f854bfd3adc50bdb036b648

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe

Filesize
256KB

MD5
97b8dbcc7b3cc290aef4241df911ac2e

SHA1
733ababbcd278821d4e3ee78580841981f26642e

SHA256
c44ca1fe145c4f0dcea4efb95171cbf16dfec9fe66a603fbe29c94c21050a023

SHA512
4adaa7621e2c858e6541792146260142e1d28683ec1515a743a56bc106ab425edfce856ef3b0d146d63704b34694c9e666a39e3845a097d41cbf465537ec9b25

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro2.bat

Filesize
140B

MD5
7bb4eba6e18a150355471dcfc0e40c3a

SHA1
7969168d05aff11731b5e3bf9466e1127e24e511

SHA256
43a0938d03500449e948ca253f238bc03614e7df9f4c2bb03d6f3ca5fbc85a69

SHA512
51a2b7f272431019b9adc1076013d4e402b4b6b263c17cfa6252e1e75767b94b8f5da563c15c4e2dc0a8488067916d6df43061a1465adc439d43eb99028b05ed

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adb04.bat

Filesize
1KB

MD5
2a2f9ae17f5dda0a92450f673bb8197a

SHA1
17a1bd2f1ef704ab23988ba47f400834043a28b9

SHA256
3f957b0a4032a622490ba18fc19d2f129b77ff35b33fbc8274e8cbe69adca19e

SHA512
4a67d1c261e12472bd86a6a5042134d1e3173c7404b7227a112385782064eb3f4aa7896352eeeaf8c79257f02a5d6876f1ba6353697c7794b2205dbefe2ba2ee

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe

Filesize
2.1MB

MD5
cb8df8ed0105afca1e2ce2c76801138b

SHA1
7e53449562f1254f5937d2ab9262ebd79ccf4971

SHA256
b4e4553b3b4df393d5912a0263eaacf1c0485d45e1acfb7da8324c0e578c68ac

SHA512
b460390109f2ca81e4393c9d1a3f376a745db8cde78a384955ddf7de3b4efd6036f493d1ae7cea389ddeb9be2440dc5f5fd6159a65c177d957557bb1a0daa75e

Download Submit
C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe

Filesize
2.1MB

MD5
286bcd871d32dfd3dc95a7d58472d60e

SHA1
01f2c1f3d4d1b7e372a6f33fb5f8cc16eba26f8d

SHA256
6226ae0cf75b048429aad462016cbae45396628faf9763cad91805249e2ac6b1

SHA512
25e7f6e1dde63547bcd3d471cf8f735cd15c07e4991853e42326f8737ad59ddc0c0d650932f3637d349653a07133fa282a08dda8600dc478431464de49280794

Download Submit
memory/2892-50-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3160-54-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3160-56-0x0000000002AF0000-0x0000000002CFC000-memory.dmp

Filesize
2.0MB

Download
memory/3160-60-0x0000000002AF0000-0x0000000002CFC000-memory.dmp

Filesize
2.0MB

Download
memory/3160-67-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3160-68-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3160-70-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3160-69-0x0000000000400000-0x00000000006B3000-memory.dmp

Filesize
2.7MB

Download
memory/3160-71-0x0000000002AF0000-0x0000000002CFC000-memory.dmp

Filesize
2.0MB

Download
memory/3160-77-0x0000000002AF0000-0x0000000002CFC000-memory.dmp

Filesize
2.0MB

Download
memory/3160-80-0x0000000002AF0000-0x0000000002CFC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads