banload | facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3

Analysis

max time kernel
120s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-11-2024 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Size

4.6MB
MD5

757273ef0c95033bd1fdd495c4c01440
SHA1

9d62945c331540fc9331db4cd09f318137902c46
SHA256

facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3
SHA512

47c02c43ed6a33d3cd00b0f57a3de8a58fa755bc828c91c423fddb868e97ccf46dfa54f028c5d6bbb4ef9b9036fef21c6ea59b663344aa72ad79f2011b155222
SSDEEP

98304:RF8QUitE4iLqaPWGnEvSdsc0B18YhT8qX/WqDr:RFQWEPnPBnEKd50P8YhT825r

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe

Renames multiple (195) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkObj.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\offfiltx.dll.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\micaut.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipRes.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkObj.dll.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Outlook Office Explorer"	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll"	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE"	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2132	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
Token: SeIncBasePriorityPrivilege	2132	facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe

C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
"C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

Filesize
4.7MB

MD5
66d940622275df189a63df31b984c0d2

SHA1
82807e7a98d418d2cc2b0976d2fbda7dea0bc969

SHA256
1875a63dc38d688b90765c031e3b39bdc609b56cbb18494c03a5fbcf2fa9f583

SHA512
77b6bc91b30fbf11c8585ce1da8f83ccbbf9cfd3fd0d01bc8a71c8c5486fc7a729c133be5d2b1871037c64892dbb13bc07c08354f09fa6c478e83b6f38cf5b30

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
4.8MB

MD5
7a271af076acb1c627ac68eb9651d27d

SHA1
3f7ee775686858b87bfdc0757a0442323d9a6a76

SHA256
cf54edbd580668f3cdd7bbe9392d7f043c7298c86cf8ae598f97beeeabdb62b6

SHA512
6c6e9cc661fb01205160ad329e3d5cef19fbd2d3c2e25b13fb668dd1d6ae701b05b597123c670c8bcc7735fba4607b552eb99d7af46d6f41519a7c444b4fec21

Download Submit
memory/2132-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2132-1-0x0000000003110000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download
memory/2132-8-0x0000000003110000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download
memory/2132-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2132-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2132-13-0x0000000003110000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download
memory/2132-25-0x0000000003110000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download
memory/2132-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2132-45-0x0000000003110000-0x000000000331C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads