banload | 6abf9fcec5883b6e4d70810e60bd2d8a133a1a62bc28ca5d17dcc6f45d35214a

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 17:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PictoWords.exe
Size

3.3MB
MD5

6b4fa8b84b8736d7443105c94b7d0d69
SHA1

54918bedcaa3cb472c8cf4d7224682a3585333ca
SHA256

44c2a21ace6dbe42a5d41acebc2d9a357f11e73134e3bab60f394cc5512e753e
SHA512

ca449b683c3d18309210fc34474a12ae1e6280b980cb00a22cbcaadf7669cb4095468918c9913e5558b25148ee9d1c9ba1fa6df66c9b67e1352e1f1e88a6c6b9
SSDEEP

98304:IEE/Obvu8AfPS+u7tx5frlsMAbY4gQFwl2Uz:IEEEulvu75r2M2Y4gQF+Fz

Score

10^/10

banload downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

PictoWords.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ PictoWords.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PictoWords.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PictoWords.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PictoWords.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	PictoWords.exe

Loads dropped DLL 1 IoCs

Processes:

PictoWords.exe

pid process

4984 PictoWords.exe

pid	process
4984	PictoWords.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

PictoWords.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PictoWords.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	PictoWords.exe

Modifies registry class 5 IoCs

Processes:

PictoWords.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8FDBD81-8F37-DC65-FF42-C9897C435945}\InProcServer32\ThreadingModel = "Apartment"	PictoWords.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8FDBD81-8F37-DC65-FF42-C9897C435945}	PictoWords.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8FDBD81-8F37-DC65-FF42-C9897C435945}\ = "IE Microsoft BrowserBand"	PictoWords.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8FDBD81-8F37-DC65-FF42-C9897C435945}\InProcServer32	PictoWords.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8FDBD81-8F37-DC65-FF42-C9897C435945}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll"	PictoWords.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PictoWords.exeAUDIODG.EXE

description	pid	process
Token: 33	4984	PictoWords.exe
Token: SeIncBasePriorityPrivilege	4984	PictoWords.exe
Token: 33	2472	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2472	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PictoWords.exe

pid process

4984 PictoWords.exe

pid	process
4984	PictoWords.exe

C:\Users\Admin\AppData\Local\Temp\PictoWords.exe
"C:\Users\Admin\AppData\Local\Temp\PictoWords.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x43c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tg.fl2
Filesize
1.4MB

MD5
12719eddaab9caeef28c6e58192f594b

SHA1
b2f674f3f7007371c42d2bcf09b839585ea20b61

SHA256
ff12ac1ec68351653211bb9b9b54c31b98a61104c79fce9ee6bd54ead969dae9

SHA512
fe89dddb0da97c810395cc6dae8bbfa73f09bde0fcf5e8b60834c432c5e0eb206c1bc846ea51ad7aabb5955d4c00e50fa26314361aae1fdde70a502331ef52ca

Download Submit
C:\Users\Public\Documents\iWin Games\PictoWords\registry.gcf
Filesize
42B

MD5
c923a5be82dd338aca2ff1f543d59117

SHA1
e35d760649b978953dfffb558b200fa620ec549b

SHA256
40bd854b3465cf559ef025ffb81dc8d81c592d702c87ff072972f79092c7103b

SHA512
7e1ef668ce8f85fd9908109d481da8f82ed42cf072c57c7e4e3e97ee37780206342c7d2c9bf3e1710d2f8a90b8bc9685ebceb6576c5f3dffcd5831537fce93c5

Download Submit
C:\Users\Public\Documents\iWin Games\PictoWords\registry.gcf
Filesize
62B

MD5
79d759df579a0ec59247b2fed7331eb3

SHA1
f0ef6f68351888f25c5aed544cd93a7c6aae5157

SHA256
70c442fd95ab66f9d875167617cb28395ba1ed4c8e4610c7570e3d5721bbc9d2

SHA512
d2b7f86ec9d20a9f2156d89705ef8d503d70058c74e2f75e0cf17afd6272f4f0995a236afb91c3d77ab980e27500495a9f0d4a02be1d2bea585752af6e8c410a

Download Submit
memory/4984-14-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4984-12-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4984-15-0x0000000002A70000-0x0000000002C70000-memory.dmp

Filesize
2.0MB

Download
memory/4984-1-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4984-13-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4984-11-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download
memory/4984-20-0x0000000002A70000-0x0000000002C70000-memory.dmp

Filesize
2.0MB

Download
memory/4984-8-0x0000000002A70000-0x0000000002C70000-memory.dmp

Filesize
2.0MB

Download
memory/4984-2-0x0000000002A70000-0x0000000002C70000-memory.dmp

Filesize
2.0MB

Download
memory/4984-75-0x0000000000400000-0x00000000007C3000-memory.dmp

Filesize
3.8MB

Download