Overview

overview

10

Static

static

1

!ŞetUp_92...up.exe

windows7-x64

10

!ŞetUp_92...up.exe

windows10-2004-x64

10

!ŞetUp_92...up.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    286s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-07-2024 10:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    !ŞetUp_92517--#PaSꞨKḙy#$$/Setup.exe

  • Size

    8.5MB

  • MD5

    98169506fec94c2b12ba9930ad704515

  • SHA1

    bce662a9fb94551f648ba2d7e29659957fd6a428

  • SHA256

    9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

  • SHA512

    7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

  • SSDEEP

    196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

Score
10/10
banloaddownloaderdropperevasionpersistenceprivilege_escalationtrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\!ŞetUp_92517--#PaSꞨKḙy#$$\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\!ŞetUp_92517--#PaSꞨKḙy#$$\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:72
    • C:\Windows\SysWOW64\more.com
      C:\Windows\SysWOW64\more.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\SysWOW64\SearchIndexer.exe
        C:\Windows\SysWOW64\SearchIndexer.exe
        3⤵
          PID:2712

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\232f0f1b
      Filesize

      1.1MB

      MD5

      6411848b0890ecf9e5de9318d23bb73d

      SHA1

      0c4076f1dca37916a2acd84c01db77374da53e84

      SHA256

      1664d6e5d33ddabfe137e9a096676f5d6d599dd4bc9b5a54b81450035ce36ca8

      SHA512

      d2b137f044201edc3cabf999d28b3f5363615980278567adc71baf4be37fd5f4a93ccb6e3be65b04edd44b21759cf466f487f30fe28053efff5579202ff47602

      Download Submit

    • memory/72-35-0x00007FF9058E0000-0x00007FF905D4C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/72-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/72-36-0x00007FF9058E0000-0x00007FF905D4C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/72-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/72-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/72-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/72-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/72-20-0x00007FF9058E0000-0x00007FF905D4C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/72-34-0x00007FF9058F8000-0x00007FF9058F9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/72-0-0x00000000040A0000-0x0000000004288000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/72-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/72-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

      Filesize

      25.0MB

      Download

    • memory/2712-45-0x00007FF906CC0000-0x00007FF906EC9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2712-46-0x0000000000C10000-0x0000000000C7E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2712-47-0x0000000000C10000-0x0000000000C7E000-memory.dmp

      Filesize

      440KB

      Download

    • memory/2796-39-0x00007FF906CC0000-0x00007FF906EC9000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2796-41-0x0000000076C7E000-0x0000000076C80000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2796-40-0x0000000076C70000-0x00000000770AB000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2796-42-0x0000000076C70000-0x00000000770AB000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2796-44-0x0000000076C70000-0x00000000770AB000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2796-48-0x0000000076C7E000-0x0000000076C80000-memory.dmp

      Filesize

      8KB

      Download