banload | 754c0ab103289ee5562debcf47b71a94abec388ebb73bfa16469ff736b8d72f6 | Triage

Analysis

max time kernel
215s
max time network
283s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 18:29

Sharing

Report Analysis Logs

General

Target

files/Setup.exe
Size

8.5MB
MD5

98169506fec94c2b12ba9930ad704515
SHA1

bce662a9fb94551f648ba2d7e29659957fd6a428
SHA256

9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
SHA512

7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
SSDEEP

196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

Score

10^/10

banload downloader dropper evasion persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Setup.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3724 set thread context of 3488	3724	Setup.exe	85

Executes dropped EXE 1 IoCs

pid	Process
5008	Setup.exe

Loads dropped DLL 1 IoCs

pid	Process
4452	httpd.au3

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1268	5008	WerFault.exe	81

Modifies registry class 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Elevation\Enabled = "1"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "EditionUpgradeHelperObj.EditionUpgradeHelper.1"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Programmable	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{09C6A793-92DC-4D27-A11D-3921C9314DED}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalizedString = "@%SystemRoot%\\System32\\EditionUpgradeHelper.dll,-3100"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Elevation	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "%SystemRoot%\\system32\\EditionUpgradeHelper.dll"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "EditionUpgradeHelper Class"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AppID = "{6F65B602-F798-4094-8A41-A2A61961E5E8}"	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib	Setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "EditionUpgradeHelperObj.EditionUpgradeHelper"	Setup.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3724	Setup.exe
3724	Setup.exe
3488	more.com
3488	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3724	Setup.exe
3488	more.com

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 5008	3724	Setup.exe	81
PID 3724 wrote to memory of 5008	3724	Setup.exe	81
PID 3724 wrote to memory of 5008	3724	Setup.exe	81
PID 3724 wrote to memory of 3488	3724	Setup.exe	85
PID 3724 wrote to memory of 3488	3724	Setup.exe	85
PID 3724 wrote to memory of 3488	3724	Setup.exe	85
PID 3724 wrote to memory of 3488	3724	Setup.exe	85
PID 3488 wrote to memory of 4452	3488	more.com	87
PID 3488 wrote to memory of 4452	3488	more.com	87
PID 3488 wrote to memory of 4452	3488	more.com	87
PID 3488 wrote to memory of 4452	3488	more.com	87

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Users\Admin\AppData\Roaming\loadctrltb\VNKJJBVEIVTDTULYF\Setup.exe
  C:\Users\Admin\AppData\Roaming\loadctrltb\VNKJJBVEIVTDTULYF\Setup.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 736
    3⤵
    - Program crash
    PID:1268
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\httpd.au3
    C:\Users\Admin\AppData\Local\Temp\httpd.au3
    3⤵
    - Loads dropped DLL
    PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5008 -ip 5008
1⤵
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\94f63561

Filesize
2.0MB

MD5
3bb3cd11d8c738794a6eb7c20ef17fe4

SHA1
10567c5a3af462e07a95d4501fd4fc3aef04f0b3

SHA256
3b65631ed337450d863934f74a9912351a5059978782aad9b01f370ec5c2affe

SHA512
761035c06d0441e340e7b8eb32d65fcff9fb62e05090e324312ba325fbef0bc63ce49ba7a1695369e9939ab869a75aab800af804cdbd82addb668b95e2cd25a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpd.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Roaming\loadctrltb\VNKJJBVEIVTDTULYF\Setup.exe

Filesize
111KB

MD5
9f262921a7fbd432c3a694a372caf1b9

SHA1
dfd75a8835a5553d457f4f702c7fe5785227854f

SHA256
56cff82b9e3ee0ed5e74a3e55115e96fd198598be26492cca7b15d9b9023a238

SHA512
cabeaef6132444dc06e7a53332eb58446f7046069044c44b7a27693866a1d66aad7b3ebb5fe7bb79b780548a75b206528f176f5505c574b1c7ad3bcc6fc628b8

Download Submit
memory/3488-47-0x00000000754B0000-0x000000007562D000-memory.dmp

Filesize
1.5MB

Download
memory/3488-45-0x00007FFFFFDE0000-0x00007FFFFFFE9000-memory.dmp

Filesize
2.0MB

Download
memory/3724-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3724-0-0x0000000003FF0000-0x00000000041D8000-memory.dmp

Filesize
1.9MB

Download
memory/3724-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3724-20-0x00007FFFDEEA0000-0x00007FFFDF01A000-memory.dmp

Filesize
1.5MB

Download
memory/3724-36-0x00007FFFDEEB8000-0x00007FFFDEEB9000-memory.dmp

Filesize
4KB

Download
memory/3724-35-0x00007FFFDEEA0000-0x00007FFFDF01A000-memory.dmp

Filesize
1.5MB

Download
memory/3724-37-0x00007FFFDEEA0000-0x00007FFFDF01A000-memory.dmp

Filesize
1.5MB

Download
memory/3724-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3724-41-0x00007FFFDEEA0000-0x00007FFFDF01A000-memory.dmp

Filesize
1.5MB

Download
memory/3724-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3724-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3724-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/3724-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4452-51-0x00007FFFFFDE0000-0x00007FFFFFFE9000-memory.dmp

Filesize
2.0MB

Download
memory/4452-52-0x0000000000190000-0x00000000001EB000-memory.dmp

Filesize
364KB

Download
memory/4452-54-0x0000000000190000-0x00000000001EB000-memory.dmp

Filesize
364KB

Download