Malware Analysis Report

2024-10-16 03:31

Sample ID 240819-ab9rjawbmq
Target 6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f
SHA256 6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f
Tags
banload discovery downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f

Threat Level: Known bad

The file 6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Enumerates connected drives

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-19 00:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-19 00:03

Reported

2024-08-19 00:06

Platform

win7-20240704-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID\ = "Icad.ViewerDrawing" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7} C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ = "Visio Viewer CAD Drawing" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe

"C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1320

Network

N/A

Files

memory/1488-0-0x0000000003220000-0x0000000003420000-memory.dmp

memory/1488-6-0x0000000003220000-0x0000000003420000-memory.dmp

memory/1488-7-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-11-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-10-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-14-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-13-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-15-0x0000000003810000-0x0000000003830000-memory.dmp

memory/1488-19-0x0000000003220000-0x0000000003420000-memory.dmp

memory/1488-18-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-16-0x0000000000400000-0x000000000147B000-memory.dmp

memory/1488-28-0x0000000003220000-0x0000000003420000-memory.dmp

memory/1488-29-0x0000000003220000-0x0000000003420000-memory.dmp

memory/1488-30-0x0000000000400000-0x000000000147B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-19 00:03

Reported

2024-08-19 00:06

Platform

win10v2004-20240802-en

Max time kernel

142s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\TypeLib C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\VersionIndependentProgID\ = "SppComApi.TokenActivation" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ = "TokenActivation Class" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sppcomapi.dll" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ThreadingModel = "Free" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\TypeLib\ = "{B0C2A63F-AFF8-40E3-B42D-8A542DC909EC}" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7} C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\AppID = "{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B}" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID\ = "SppComApi.TokenActivation.1" C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe

"C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2104 -ip 2104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1736

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/2104-1-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-3-0x00000000036D0000-0x00000000038D0000-memory.dmp

memory/2104-8-0x00000000036D0000-0x00000000038D0000-memory.dmp

memory/2104-11-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-14-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-13-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-16-0x0000000003DD0000-0x0000000003DF0000-memory.dmp

memory/2104-15-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-20-0x00000000036D0000-0x00000000038D0000-memory.dmp

memory/2104-17-0x0000000000400000-0x000000000147B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Itsth\Easy2Sync_for_Outlook\logfile.txt

MD5 27d2933c90fbdafea6bf93e7e2a79402
SHA1 9c9a25919a4d0bd99b85184d14f25bf5f2ad8e16
SHA256 38f244c4fbecebf351f06d564d7f66cefd71c2aa31de4547cded3725055bc522
SHA512 bb5ef34b96319a1419a58b8863b0e48e9cc0ea74d68e143f7ffa5931b544a1fc61e58bcaba56fe00167e3a2ee86119c9d8d6be506af5aa3cbf2c0f3281dda1f7

memory/2104-19-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-42-0x00000000036D0000-0x00000000038D0000-memory.dmp

memory/2104-41-0x00000000036D0000-0x00000000038D0000-memory.dmp

memory/2104-44-0x0000000000400000-0x000000000147B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Itsth\Easy2Sync_for_Outlook\logfile.txt

MD5 babda7708f686c5691f065c9b42e489c
SHA1 9fe86bfd4b0c4ecac730986771fe8959e2e4a929
SHA256 cc7ef5a9c8247f14cb99eab368b8e2c30dfa30f06ba95b28835817681dd23e67
SHA512 bc3f800241ecbe6890631cfa91c2350b51ecc8c9ddde027fba2f4a122c3f2b6fdaaba1495fc06faa93df5879be03c0dac4bacd1469e02cde7caa6a4925ba9d35

memory/2104-53-0x0000000000400000-0x000000000147B000-memory.dmp

memory/2104-54-0x00000000036D0000-0x00000000038D0000-memory.dmp

memory/2104-55-0x0000000000400000-0x000000000147B000-memory.dmp