Analysis

  • max time kernel
    120s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2024, 14:29 UTC

General

  • Target

    64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

  • Size

    3.9MB

  • MD5

    d7fd4d232e6944306d7756dbb57d9f82

  • SHA1

    4216e260ee2c9b683a6b886dd66b0f1b37ce2869

  • SHA256

    64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce

  • SHA512

    97d00d3441ca2507a284f1886f5ea7f0b9a3d6b6863fe56ba6784e628d571ff2e681f1fc00bc52bb4e9005be2efc1d2ffcd7ba3a19e8f747023b14dd98ae785b

  • SSDEEP

    49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV8u/kUHHklZ77Szh9ownI:RF8QUitE4iLqaPWGnEvS9Ejzh9oEI

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Banload family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (196) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
    "C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

    Filesize

    4.0MB

    MD5

    60f5e8027708a08f55e58c4969fa8083

    SHA1

    bcb52a1e3218ccfefda661ffcd057657cdbefdf2

    SHA256

    7e8e141819ec8b1b6f8350aed8b840a983af2689d64248efd934e65cdd40057c

    SHA512

    64fee121c76dfc9eeb66c88b5ea60c3fc2733eb57237575f3545e75be0b6a57ea96ec315bd7480a91ee13d9275fdee81f6fa71618e8a1bd9917c60238eb644ce

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

    Filesize

    4.1MB

    MD5

    fb012b9f5c1e749fcab90e329faa215e

    SHA1

    0fc9f2900f65e074d156ea4b1e1a055253119b17

    SHA256

    b73d31f61c7a8f858cdc6faa489f2e6ccb67e93b809ea32dd4e90042c2fd13b2

    SHA512

    c9daf0ac70a694da0fed1606d7a4afcc31f728aba8a974356cf88bf1614618f8ecdc24fc126e6016ceedceb29a72da0008a9569b79fad50adb1b0d797951ac37

  • memory/1796-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1796-1-0x00000000030C0000-0x00000000032CC000-memory.dmp

    Filesize

    2.0MB

  • memory/1796-8-0x00000000030C0000-0x00000000032CC000-memory.dmp

    Filesize

    2.0MB

  • memory/1796-11-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1796-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1796-13-0x00000000030C0000-0x00000000032CC000-memory.dmp

    Filesize

    2.0MB

  • memory/1796-25-0x00000000030C0000-0x00000000032CC000-memory.dmp

    Filesize

    2.0MB

  • memory/1796-41-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/1796-45-0x00000000030C0000-0x00000000032CC000-memory.dmp

    Filesize

    2.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.