Overview

overview

10

Static

static

3

2024-11-29...ff.exe

windows7-x64

10

2024-11-29...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe

  • Size

    13.1MB

  • MD5

    947c1c8939c8f393224328d2e1d25947

  • SHA1

    338ecfda564a8fc588f5bd1d71d66390500d25d0

  • SHA256

    2427944ef51d4c628073b5db91d897ef4e42595603784a600e95041afb11582a

  • SHA512

    b2b004de725fd60825d2ce995fed9499e4b118830f8daca8cf1bc266fd4517b3d5cbf44b884e2c8647f56a687d62f1c981262d088b1075b591ac6b530825b267

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEvK7RkOEEo+A7mOk3oaCVA7m2St29Ejzh9oEcx/R2qVIK4t:RFQWEPnPBnEXPELR8N3MKFBIHuM/s

Score
10/10
banloaddiscoverydownloaderdropperevasionransomwaretrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Banload family
    banload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (219) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3208

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp
    Filesize

    13.2MB

    MD5

    7a2f84477d78ec3e69ad88e98ef281a4

    SHA1

    30b9c93554926c2584f38327f7fb80aee258d5bd

    SHA256

    6a50fa5b3af1c324a5b59181010dca0790dc6b5f860c00fba63dabcc1721371e

    SHA512

    4949391ba27b46f2faf7119f2cabdde49c51268c6aa15a13acb12ef41e6027a4f51099910dc5a7809aac86f5eddf0ecda2089945eec07470d602c86dd3901c61

    Download Submit

  • C:\Program Files\7-Zip\7-zip.dll.tmp
    Filesize

    13.3MB

    MD5

    389027fbb5baa20c77ce1b6eb831cae1

    SHA1

    a74569f1da16b747f828ba984ef9085dca8f0312

    SHA256

    92b593919ae4493c8acdc4a6b12503d36e71a457f3ca65febf77beeb976c7ebb

    SHA512

    094dfc4f4cb9050c552ad339252d62ce406ea191da6ccc3a283800f45e8d09ac166d492ed74596865712731c5f898b3edb8e5fdb3ef115b3ff05dab4324f231a

    Download Submit

  • memory/3208-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3208-2-0x0000000004970000-0x0000000004B7C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3208-9-0x0000000004970000-0x0000000004B7C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3208-13-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3208-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3208-14-0x0000000004970000-0x0000000004B7C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3208-23-0x0000000004970000-0x0000000004B7C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3208-22-0x0000000004970000-0x0000000004B7C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3208-40-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3208-44-0x0000000004970000-0x0000000004B7C000-memory.dmp

    Filesize

    2.0MB

    Download