banload | f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8

Analysis

max time kernel
120s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Size

3.0MB
MD5

299d5f94d35d28ae98e5454a0bdca9a3
SHA1

db7c8111fe03133f118507f4beefcaedc058ae25
SHA256

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8
SHA512

224681a0028f25656dbc6c49feb564000f332da5bab64b65c6e1835698daff1c866b3d9aed3244fa784f91a2734e7aeeda878b7bf3869a2212a56597aba8319f
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV47RIgiBul:RF8QUitE4iLqaPWGnEvK7RZ

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Renames multiple (520) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Drops file in Program Files directory 64 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InkObj.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.VisualC.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Web.HttpUtility.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshe.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.FileVersionInfo.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\da-DK\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Http.Json.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\IpsPlugin.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Crashpad\metadata.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\ShapeCollector.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Modifies registry class 5 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "System.Globalization.IdnMapping"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	pid	Process
Token: 33	2420	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Token: SeIncBasePriorityPrivilege	2420	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp

Filesize
3.1MB

MD5
e40a2f9817cbf911008f7b3aa904d18e

SHA1
528d02eef642d17eefd8b930ad6a4d42d734c338

SHA256
1698bb22cdfc00046670a935a25742d70d47ab6d67b3c85fe449c559bf91a19a

SHA512
86bf5565281f5b75f5d5a0c02528881e9fe5765f1d80adb2150940925ce709e6574f1facd3deb5c7eb8f4a3ba8ad7fd21e6b86c2ccdd2931f32049842c436790

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
3.2MB

MD5
32d5188366d79f0845944456bba720f7

SHA1
9b825ee0097901862cd12fa8b781bf337ffd2769

SHA256
3f3f8615f4469fa802db90a3851b33da1e9370d35e795f958dcd511ffacdd8d6

SHA512
0ba3cc3efe95a49b8cbbd0632e1169a09114d964f67d34248f64dcf1674df0b48d67f075c7062eb3c10fd2d3ea0ff776bb12801547bf68ea038e8f6f66ae9c93

Download Submit
memory/2420-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2420-2-0x0000000004960000-0x0000000004B6C000-memory.dmp

Filesize
2.0MB

Download
memory/2420-9-0x0000000004960000-0x0000000004B6C000-memory.dmp

Filesize
2.0MB

Download
memory/2420-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2420-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2420-14-0x0000000004960000-0x0000000004B6C000-memory.dmp

Filesize
2.0MB

Download
memory/2420-46-0x0000000004960000-0x0000000004B6C000-memory.dmp

Filesize
2.0MB

Download
memory/2420-47-0x0000000004960000-0x0000000004B6C000-memory.dmp

Filesize
2.0MB

Download
memory/2420-130-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2420-148-0x0000000004960000-0x0000000004B6C000-memory.dmp

Filesize
2.0MB

Download