Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Resource
win10v2004-20241007-en
General
-
Target
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
-
Size
3.3MB
-
MD5
bf82d2c331398018750c202bd9f02e3d
-
SHA1
495d6af8bd5729e577d83bae342d420a88676ccc
-
SHA256
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538
-
SHA512
a05396adf45cf6147271c3568b13e6085e09cff105e476cc272a86bb176bc0be1b328a35fb728e1aeeb0fef2fa93fa3a1947362ed8555bfad2546c4944a84d2c
-
SSDEEP
98304:RF8QUitE4iLqaPWGnEvSdsc0B18YhT8qM:RFQWEPnPBnEKd50P8YhT81
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe -
Renames multiple (678) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exedescription ioc Process File created C:\Program Files\7-Zip\7zG.exe.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.AppContext.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ja-jp.xml.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\System\Ole DB\sqloledb.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.SecureString.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\7-Zip\Lang\mk.txt.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-fibers-l1-1-0.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\7-Zip\Uninstall.exe.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.Watcher.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\hr-HR\tipresx.dll.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\Services\verisign.bmp.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\oledb32r.dll.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Drawing.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\7-Zip\Lang\is.txt.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsita.xml.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-profile-l1-1-0.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\System\ado\adojavas.inc.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Tracing.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-conio-l1-1-0.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.UnmanagedMemoryStream.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\7-Zip\Lang\io.txt.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\7-Zip\Lang\pl.txt.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\msinfo32.exe.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Specialized.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\clretwrc.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.FileSystem.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Primitives.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\System\ado\msadomd.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Csp.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\netstandard.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe -
Modifies registry class 3 IoCs
Processes:
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{00020803-0000-0000-C000-000000000046}" 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exedescription pid Process Token: 33 3428 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe Token: SeIncBasePriorityPrivilege 3428 2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5f4da69a6a6d43bc2c607fb4653a6ed48
SHA1ba85556316efbb24df5f07d3cb31fb000b1432c8
SHA2563b009739c8d2fce7675ec6205acb84411f38cb529c64a84b8960ce36a962cdda
SHA5128bc5c9cf8608e68c06f53288c5c0d6586c02fc2715db413fde7ce39be8c5c99711c974d7854be1600c615481cef17e24371764963c0b6cce60f023efd6692be4
-
Filesize
3.5MB
MD51ffcb85a39a0842f352a1628accb9a26
SHA1443f32b8b2747d24419b95998219ce93245edea9
SHA256a1abcb6cecf3d98f8812f5227d7748b2831a7604babf321336d9133941afe97b
SHA5122060d45031a6bc20dbc38c226a7a7df77e03934214a0e4d040ab87d0997c7a607e3b2ce45470a13a35f15d9879b08ee74fab880e90d91bc209d83af3aa45093b