Analysis
-
max time kernel
4s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-08-2024 21:19
Static task
static1
Behavioral task
behavioral1
Sample
Po2865-16-CD1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Po2865-16-CD1.exe
Resource
win10v2004-20240802-en
General
-
Target
Po2865-16-CD1.exe
-
Size
2.4MB
-
MD5
77914c7c55fea8133e89f9cd8ffa551b
-
SHA1
5a23d06d72f5498c34c692624472ad32a3c97d3a
-
SHA256
84c48a6fb8c37c190eab05a96a98432a175dba7ff9f6853d6b91e260481bf2df
-
SHA512
31a39168c7d58fd66db4cee361aacd4986b49af2450e1b8c63caa95eccd2355acd1eba722b0208d52f9cde0029d98af78208a809ed4a73f33c52c4ec3a69f250
-
SSDEEP
49152:IyCUpqemBrMxxniTruyASH1hZWJ61fFEfHOvUHuApND72nq+ilMQc+O/Zi/+f:IyCEq1rWni5ASH1/t51An7f+i2QQi/c
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ adbr01.exe -
Sets file to hidden 1 TTPs 5 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1312 attrib.exe 1932 attrib.exe 2316 attrib.exe 576 attrib.exe 960 attrib.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion adbr01.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate adbr01.exe -
Executes dropped EXE 2 IoCs
pid Process 2472 adbr01.exe 2064 adbr01.exe -
Loads dropped DLL 3 IoCs
pid Process 1768 cmd.exe 1768 cmd.exe 2472 adbr01.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeA = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Adobe Inc\\AdobeRead\\dpro1.bat" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Po2865-16-CD1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xcopy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adbr01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language adbr01.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2832 ipconfig.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ = "C:\\Windows\\SysWOW64\\webcheck.dll" adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32\ThreadingModel = "Apartment" adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187} adbr01.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\ = "WebCheckWebCrawler" adbr01.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{37EDC348-F7AF-59EA-E1CC-DDFB47F24187}\InProcServer32 adbr01.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1100 DllHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2672 wrote to memory of 2728 2672 Po2865-16-CD1.exe 31 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 2728 wrote to memory of 1724 2728 WScript.exe 32 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2020 1724 cmd.exe 35 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 2316 1724 cmd.exe 36 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 576 1724 cmd.exe 37 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 960 1724 cmd.exe 38 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1312 1724 cmd.exe 39 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1932 1724 cmd.exe 40 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1724 wrote to memory of 1752 1724 cmd.exe 41 PID 1752 wrote to memory of 1768 1752 WScript.exe 42 -
Views/modifies file attributes 1 TTPs 5 IoCs
pid Process 1312 attrib.exe 1932 attrib.exe 2316 attrib.exe 576 attrib.exe 960 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe"C:\Users\Admin\AppData\Local\Temp\Po2865-16-CD1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adobedc.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER\Adob02.bat" /quiet /passive /norestart"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\xcopy.exexcopy /y /h /e /r /k /c *.* "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\"4⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2020
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2316
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\AdobeR"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:576
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\Adobe Reader\ADBR\READER"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:960
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR\ADBR\READER"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1312
-
-
C:\Windows\SysWOW64\attrib.exeattrib +r +a +s +h "C:\Users\Admin\AppData\Roaming\AdobeR"4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1932
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\Adob7.vbs"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adb03.bat" /quiet /passive /norestart"5⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "AdobeA" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\dpro1.bat"6⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2896
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2832
-
-
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Users\Admin\AppData\Roaming\Adobe\Adobe Inc\AdobeRead\adbr01.exeadbr01.exe -f "011.011"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064
-
-
-
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:1100
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
120B
MD5b0512358af17f4999841bebf8afcb2c5
SHA156904fade30129d6b224c8b5b2a55e9820d20293
SHA25663e94cc5a681c68f87332103e1b3736bc4fb8ae618b4143a5cd6302661cdc66e
SHA512261d2260e80cbbff96fb6f42295823360bbc72be8a9eda9596976861280d0c25b03056cd96cc217b6dd4ecc774c9f0adf124028626bacf7341bb1a8e6bfda136
-
Filesize
124KB
MD51a1075e5e307f3a4b8527110a51ce827
SHA1f453838ed21020b7ca059244feea8579e5aa74ef
SHA256ddd90e3546e95b0991df26a17cf26fa2f1c20d6a1fd4ffccf1e9b3ec3d3810d5
SHA512b6b70c6cb3cdb05a69c75b86c1fa0fadb38de0391e1fa17daff7d12dfae2a9f483546d9bf1001ff622694fdf8a28b85cd30fc541c25be62df022d22ca17decc1
-
Filesize
560B
MD59d87ac4776ba4e29a292f23e5495e606
SHA1253df9f0dca81a2766876c265206a8fb4c3137a9
SHA25614d8eee9761a090c5f5fe79dda8ca9531d400b0b383a2a5680a2dff0b886917a
SHA5123ccf64e3ae4012456c8c94aacf0838a3d277dafbc20e0f093338a863963ffce3b715dba291fe9701c96390242457d8d0cafa834b667c73dca68760aca6447148
-
Filesize
222B
MD5198d2b0736cfc4833acdf49e8cf261dc
SHA105ef064907fbec52a8385367f687a5561731fb37
SHA256c9d4227e54618b900f365342587d5843d23ed22116c089e984f394a6f5ce8006
SHA512089f66c8bf793c357ab85dbbdd5852d9ce097c55153ae2c44f6eb728e06c7ddbd6988f9a0de4348343bc211241104e6dbe726a6478749093d17335427ae9da02
-
Filesize
223B
MD5620e43d3cd51594e6f631e90d9fd8c22
SHA1000e31e9557fa25e9fd94cd51c7b9583d495d3b2
SHA25653540306a6a950f8cbd1e7c9628d5342eb6f3849398fc448b9c5a42c8cabf449
SHA512bcbab8cfbe5a425531c64dfebf5d3c08323c203d9dd74bea08bd955631dda0a7a88a9092f0eb7ae70e4c0221f85c5ca9e360ed03b8e9d0eeacd1a458ab2c38c6
-
Filesize
256KB
MD5e498d1248df22b33ef62ec548f2b76b7
SHA1db53f5f6a7f7d0c36292d641898409dc81efb1c0
SHA256b1d2ee6ddc0b53765d2aa7af44be4531e77fe8eca912854307aeba25e284ada6
SHA5126923fba13a2ef9c5e975134cb27b77074754a22d0363d525c36b7867012c0e06ff4bff9555fcc83be72723f39b19462655de19877c0206fa2d618ad2d1cb3c63
-
Filesize
140B
MD5124cb6324d434946a483e0f2e55d08b0
SHA12a8955feb5919c59221191c94b6191425eda6c6f
SHA256f3b41f2e24a8cd343d71db7d861ad2511690d4ce6020714e5831ddeab5df2637
SHA5129d8c940c4c420f6048ce6bfa67d8d1ce9c7c7392b02a0c500ddbce91ca708f6cd3892c27db9f06bae7e325b39db5f86cb77cbcf168906d3c7444cc7797a178a5
-
Filesize
1KB
MD5743524e8dcafbeb3b1723c1b8b69da1f
SHA1a7410d68a17e91b56f379b647ed87c8f06728564
SHA2566058df5b51469d19a8a386136e2f6caefaa36d8c4a596c5d202f819837f1627a
SHA512d3f0f7b5b6382d5e4228ea9baaa6466a2eb8cd3a00aa9e79683c87a559723a0baab46738e94fce8f3d380758006636e5486a0c6adc3941628b9f37aacc36b5c6
-
Filesize
2.2MB
MD57d56f54e9d29ea8e6b5533bc87db0349
SHA1129cbcf51bc30a690f99d25fb7fc5fa1e910ddc5
SHA25667373f02e2d5cb85f46e2f30de7eb5a4ff9762155baf6d75f3437ef1e9a40c5b
SHA5125f027113bc529b708a348b3c0ae62edaf926ca6fef089fbcef99d2ff43bbe7e229ec2bfe562b50a49b807dcb9834aff164e30c9f410f96da621fdcea09f67a38
-
Filesize
2.2MB
MD5e0c3bf874e08648e65a16fa62b11c735
SHA15e4f96d982cb4c8522befc27dd8779ef681637b3
SHA256fd558458ed917c4be35e4a1b6be608e087ae86eecb280f408b39af112717382d
SHA512b2955a3b36d2002a166e62d459fe028b0b6c727390b9e5b545b683572db244bc8b4ce5bff6cef05509cf8d529caa874c4955708a07ad3f508438fed8ea87c02a