Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-12-2024 00:54

General

  • Target

    2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe

  • Size

    3.3MB

  • MD5

    bf82d2c331398018750c202bd9f02e3d

  • SHA1

    495d6af8bd5729e577d83bae342d420a88676ccc

  • SHA256

    2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538

  • SHA512

    a05396adf45cf6147271c3568b13e6085e09cff105e476cc272a86bb176bc0be1b328a35fb728e1aeeb0fef2fa93fa3a1947362ed8555bfad2546c4944a84d2c

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEvSdsc0B18YhT8qM:RFQWEPnPBnEKd50P8YhT81

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Banload family
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Renames multiple (678) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe
    "C:\Users\Admin\AppData\Local\Temp\2533c55c719d1ad97a05d2355136d6a8cf15eaf36c01dd70450a740291f7a538.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

    Filesize

    3.4MB

    MD5

    f4da69a6a6d43bc2c607fb4653a6ed48

    SHA1

    ba85556316efbb24df5f07d3cb31fb000b1432c8

    SHA256

    3b009739c8d2fce7675ec6205acb84411f38cb529c64a84b8960ce36a962cdda

    SHA512

    8bc5c9cf8608e68c06f53288c5c0d6586c02fc2715db413fde7ce39be8c5c99711c974d7854be1600c615481cef17e24371764963c0b6cce60f023efd6692be4

  • C:\Program Files\7-Zip\7-zip.dll.tmp

    Filesize

    3.5MB

    MD5

    1ffcb85a39a0842f352a1628accb9a26

    SHA1

    443f32b8b2747d24419b95998219ce93245edea9

    SHA256

    a1abcb6cecf3d98f8812f5227d7748b2831a7604babf321336d9133941afe97b

    SHA512

    2060d45031a6bc20dbc38c226a7a7df77e03934214a0e4d040ab87d0997c7a607e3b2ce45470a13a35f15d9879b08ee74fab880e90d91bc209d83af3aa45093b

  • memory/3428-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3428-2-0x0000000004920000-0x0000000004B2C000-memory.dmp

    Filesize

    2.0MB

  • memory/3428-9-0x0000000004920000-0x0000000004B2C000-memory.dmp

    Filesize

    2.0MB

  • memory/3428-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3428-13-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3428-14-0x0000000004920000-0x0000000004B2C000-memory.dmp

    Filesize

    2.0MB

  • memory/3428-46-0x0000000004920000-0x0000000004B2C000-memory.dmp

    Filesize

    2.0MB

  • memory/3428-47-0x0000000004920000-0x0000000004B2C000-memory.dmp

    Filesize

    2.0MB

  • memory/3428-128-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

  • memory/3428-146-0x0000000004920000-0x0000000004B2C000-memory.dmp

    Filesize

    2.0MB