banload | 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Size

3.3MB
MD5

bf82d2c331398018750c202bd9f02e3d
SHA1

495d6af8bd5729e577d83bae342d420a88676ccc
SHA256

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538
SHA512

a05396adf45cf6147271c3568b13e6085e09cff105e476cc272a86bb176bc0be1b328a35fb728e1aeeb0fef2fa93fa3a1947362ed8555bfad2546c4944a84d2c
SSDEEP

98304:RF8QUitE4iLqaPWGnEvSdsc0B18YhT8qM:RFQWEPnPBnEKd50P8YhT81

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

Drops file in Program Files directory 64 IoCs

Processes:

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwritalm.dat.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IPSEventLogMsg.dll.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mshwLatin.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipskins.dll.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\tr.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwLatin.dll.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\ClearReceive.rmi.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsPlugin.dll.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

Modifies registry class 9 IoCs

Processes:

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Access, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Access.AllModulesClass"	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Access, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Access.AllModulesClass"	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727"	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

description	pid	Process
Token: 33	956	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Token: SeIncBasePriorityPrivilege	956	2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
"C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

Filesize
3.4MB

MD5
5cf9cbf6b03e35a8200ead00c192c99c

SHA1
76934ffe25acf258478a8fdbe416e0edb66b30e5

SHA256
4ace30a83dffb4877fd05735d905daf593fc8384b9ebe84e2e148bf4ee3056cc

SHA512
2e012cdac68307d1a23d13741c6c0d04cb369949e6659789d9a07310a273894c00c08342c9a5cf5130863e90db91f329f2f82772b55441b46b9c5d0769f9487b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
3.4MB

MD5
d8c8ffdd57f79c60c44a9d9ee8671996

SHA1
1f54a50a7759bca06db5a63e0984918688c6ce51

SHA256
69b445434f9f320194c7cd01595dabee0f0cf2cccced728e1bb5bcee6eee7d57

SHA512
04b82ae417c3e3eb2d6177b089badfd9ba0afdeac6946a1e2d4757ebbbdf3d3a214255af5a6e51b6eacc19fd5289604393807de121a1c7eaac38e51c3da4e405

Download Submit
memory/956-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/956-1-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Filesize
2.0MB

Download
memory/956-8-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Filesize
2.0MB

Download
memory/956-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/956-13-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Filesize
2.0MB

Download
memory/956-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/956-26-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Filesize
2.0MB

Download
memory/956-25-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Filesize
2.0MB

Download
memory/956-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/956-43-0x0000000002FA0000-0x00000000031AC000-memory.dmp

Filesize
2.0MB

Download