Analysis

  • max time kernel
    4s
  • max time network
    0s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 21:19

General

  • Target

    Po2865-16-CD1.exe

  • Size

    2.4MB

  • MD5

    77914c7c55fea8133e89f9cd8ffa551b

  • SHA1

    5a23d06d72f5498c34c692624472ad32a3c97d3a

  • SHA256

    84c48a6fb8c37c190eab05a96a98432a175dba7ff9f6853d6b91e260481bf2df

  • SHA512

    31a39168c7d58fd66db4cee361aacd4986b49af2450e1b8c63caa95eccd2355acd1eba722b0208d52f9cde0029d98af78208a809ed4a73f33c52c4ec3a69f250

  • SSDEEP

    49152:IyCUpqemBrMxxniTruyASH1hZWJ61fFEfHOvUHuApND72nq+ilMQc+O/Zi/+f:IyCEq1rWni5ASH1/t51An7f+i2QQi/c

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Sets file to hidden 1 TTPs 5 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe
    "C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat" /quiet /passive /norestart"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\xcopy.exe
          xcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"
          4⤵
          • System Location Discovery: System Language Discovery
          • Enumerates system info in registry
          PID:2020
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:2316
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:576
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:960
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1312
        • C:\Windows\SysWOW64\attrib.exe
          attrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"
          4⤵
          • Sets file to hidden
          • System Location Discovery: System Language Discovery
          • Views/modifies file attributes
          PID:1932
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob7.vbs"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1752
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adb03.bat" /quiet /passive /norestart"
            5⤵
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:1768
            • C:\Windows\SysWOW64\reg.exe
              REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\dpro1.bat"
              6⤵
              • Adds Run key to start application
              • System Location Discovery: System Language Discovery
              PID:2896
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              6⤵
              • System Location Discovery: System Language Discovery
              • Gathers network information
              PID:2832
            • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
              adbr01.exe -f "011.011"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2472
              • C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exe
                adbr01.exe -f "011.011"
                7⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                PID:2064
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    PID:1100

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\004.afq

    Filesize

    120B

    MD5

    b0512358af17f4999841bebf8afcb2c5

    SHA1

    56904fade30129d6b224c8b5b2a55e9820d20293

    SHA256

    63e94cc5a681c68f87332103e1b3736bc4fb8ae618b4143a5cd6302661cdc66e

    SHA512

    261d2260e80cbbff96fb6f42295823360bbc72be8a9eda9596976861280d0c25b03056cd96cc217b6dd4ecc774c9f0adf124028626bacf7341bb1a8e6bfda136

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\AReader.exe

    Filesize

    124KB

    MD5

    1a1075e5e307f3a4b8527110a51ce827

    SHA1

    f453838ed21020b7ca059244feea8579e5aa74ef

    SHA256

    ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5

    SHA512

    b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat

    Filesize

    560B

    MD5

    9d87ac4776ba4e29a292f23e5495e606

    SHA1

    253df9f0dca81a2766876c265206a8fb4c3137a9

    SHA256

    14d8eee9761a090c5f5fe79dda8ca9531d400b0b383a2a5680a2dff0b886917a

    SHA512

    3ccf64e3ae4012456c8c94aacf0838a3d277dafbc20e0f093338a863963ffce3b715dba291fe9701c96390242457d8d0cafa834b667c73dca68760aca6447148

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob7.vbs

    Filesize

    222B

    MD5

    198d2b0736cfc4833acdf49e8cf261dc

    SHA1

    05ef064907fbec52a8385367f687a5561731fb37

    SHA256

    c9d4227e54618b900f365342587d5843d23ed22116c089e984f394a6f5ce8006

    SHA512

    089f66c8bf793c357ab85dbbdd5852d9ce097c55153ae2c44f6eb728e06c7ddbd6988f9a0de4348343bc211241104e6dbe726a6478749093d17335427ae9da02

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs

    Filesize

    223B

    MD5

    620e43d3cd51594e6f631e90d9fd8c22

    SHA1

    000e31e9557fa25e9fd94cd51c7b9583d495d3b2

    SHA256

    53540306a6a950f8cbd1e7c9628d5342eb6f3849398fc448b9c5a42c8cabf449

    SHA512

    bcbab8cfbe5a425531c64dfebf5d3c08323c203d9dd74bea08bd955631dda0a7a88a9092f0eb7ae70e4c0221f85c5ca9e360ed03b8e9d0eeacd1a458ab2c38c6

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobeta.exe

    Filesize

    256KB

    MD5

    e498d1248df22b33ef62ec548f2b76b7

    SHA1

    db53f5f6a7f7d0c36292d641898409dc81efb1c0

    SHA256

    b1d2ee6ddc0b53765d2aa7af44be4531e77fe8eca912854307aeba25e284ada6

    SHA512

    6923fba13a2ef9c5e975134cb27b77074754a22d0363d525c36b7867012c0e06ff4bff9555fcc83be72723f39b19462655de19877c0206fa2d618ad2d1cb3c63

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\acro1.bat

    Filesize

    140B

    MD5

    124cb6324d434946a483e0f2e55d08b0

    SHA1

    2a8955feb5919c59221191c94b6191425eda6c6f

    SHA256

    f3b41f2e24a8cd343d71db7d861ad2511690d4ce6020714e5831ddeab5df2637

    SHA512

    9d8c940c4c420f6048ce6bfa67d8d1ce9c7c7392b02a0c500ddbce91ca708f6cd3892c27db9f06bae7e325b39db5f86cb77cbcf168906d3c7444cc7797a178a5

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adb03.bat

    Filesize

    1KB

    MD5

    743524e8dcafbeb3b1723c1b8b69da1f

    SHA1

    a7410d68a17e91b56f379b647ed87c8f06728564

    SHA256

    6058df5b51469d19a8a386136e2f6caefaa36d8c4a596c5d202f819837f1627a

    SHA512

    d3f0f7b5b6382d5e4228ea9baaa6466a2eb8cd3a00aa9e79683c87a559723a0baab46738e94fce8f3d380758006636e5486a0c6adc3941628b9f37aacc36b5c6

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr01.exe

    Filesize

    2.2MB

    MD5

    7d56f54e9d29ea8e6b5533bc87db0349

    SHA1

    129cbcf51bc30a690f99d25fb7fc5fa1e910ddc5

    SHA256

    67373f02e2d5cb85f46e2f30de7eb5a4ff9762155baf6d75f3437ef1e9a40c5b

    SHA512

    5f027113bc529b708a348b3c0ae62edaf926ca6fef089fbcef99d2ff43bbe7e229ec2bfe562b50a49b807dcb9834aff164e30c9f410f96da621fdcea09f67a38

  • C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\adbr02.exe

    Filesize

    2.2MB

    MD5

    e0c3bf874e08648e65a16fa62b11c735

    SHA1

    5e4f96d982cb4c8522befc27dd8779ef681637b3

    SHA256

    fd558458ed917c4be35e4a1b6be608e087ae86eecb280f408b39af112717382d

    SHA512

    b2955a3b36d2002a166e62d459fe028b0b6c727390b9e5b545b683572db244bc8b4ce5bff6cef05509cf8d529caa874c4955708a07ad3f508438fed8ea87c02a

  • memory/1100-74-0x0000000000210000-0x0000000000212000-memory.dmp

    Filesize

    8KB

  • memory/1724-73-0x00000000005B0000-0x00000000005B2000-memory.dmp

    Filesize

    8KB

  • memory/1768-122-0x00000000024A0000-0x000000000276B000-memory.dmp

    Filesize

    2.8MB

  • memory/1768-121-0x00000000024A0000-0x000000000276B000-memory.dmp

    Filesize

    2.8MB

  • memory/2064-126-0x00000000026C0000-0x00000000028CC000-memory.dmp

    Filesize

    2.0MB

  • memory/2064-124-0x0000000000400000-0x00000000006CB000-memory.dmp

    Filesize

    2.8MB

  • memory/2064-130-0x00000000026C0000-0x00000000028CC000-memory.dmp

    Filesize

    2.0MB

  • memory/2064-141-0x00000000026C0000-0x00000000028CC000-memory.dmp

    Filesize

    2.0MB

  • memory/2064-140-0x0000000000400000-0x00000000006CB000-memory.dmp

    Filesize

    2.8MB

  • memory/2064-138-0x0000000000400000-0x00000000006CB000-memory.dmp

    Filesize

    2.8MB

  • memory/2064-137-0x0000000000400000-0x00000000006CB000-memory.dmp

    Filesize

    2.8MB

  • memory/2064-139-0x0000000000400000-0x00000000006CB000-memory.dmp

    Filesize

    2.8MB

  • memory/2064-148-0x00000000026C0000-0x00000000028CC000-memory.dmp

    Filesize

    2.0MB

  • memory/2064-152-0x00000000026C0000-0x00000000028CC000-memory.dmp

    Filesize

    2.0MB

  • memory/2472-123-0x0000000000400000-0x00000000006CB000-memory.dmp

    Filesize

    2.8MB

  • memory/2472-125-0x0000000002570000-0x000000000283B000-memory.dmp

    Filesize

    2.8MB