Overview

overview

10

Static

static

3

2024-12-03...ff.exe

windows7-x64

10

2024-12-03...ff.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

  • Size

    13.3MB

  • MD5

    be4a5b81976ca86d9073acf739533bd7

  • SHA1

    e5c839b3238d27aa702633e72a8ad99925d1d24c

  • SHA256

    fd4321374a63a1c7e3b38de206126fe029312da2c22e758a688c5dc1f6f6cf8d

  • SHA512

    8bad167122923082a09d950d9a8214df355d6a208bf051f2bd90cf9727901df54ca142b592a6508065d4b42f4217a7e1f1028d949804c0f59dde31929340d0b6

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEvK7RkOEEo+A7mOk3oaCVA7m2St29Ejzh9oEcx/R2qVIK4u:RFQWEPnPBnEXPELR8N3MKFBIHuM/Z

Score
10/10
banloaddiscoverydownloaderdropperevasionransomwaretrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Banload family
    banload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (176) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
    Filesize

    13.5MB

    MD5

    293029dc3afc1fa71634706c5ba5ce09

    SHA1

    da780347b32a4d94e8b0013bfbc226eba0c0d86a

    SHA256

    a20e887a189e7cb743060187a81c480de34840f47672fe0bd8c868a7a3892c8d

    SHA512

    de4c01394b07f6967498ef80f0ee0d05b263e02361661ddba741cb7a07d172f19e0ac1c6e881f89ca1e4a5720969800ed6c80bbfff1ab6f0a4913f925215fe65

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
    Filesize

    13.5MB

    MD5

    0461999e7f151f0a46dfbb66854712e1

    SHA1

    835efdcc0972cfab7704facb3ee7d765012f5a75

    SHA256

    a838ad2a80344d0e29642ca387ff507731c3867a8bbaf4318401290ba5ab51f9

    SHA512

    fa3f36c33b11b0b6f832d2917552d67139dc636ebef8febd0da64ec60012d23da2c2961bfd14e8203adbd78ed62f363912e854a335ce0290c0c1d28e3153591d

    Download Submit

  • memory/2724-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2724-1-0x0000000003000000-0x000000000320C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2724-8-0x0000000003000000-0x000000000320C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2724-11-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2724-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2724-13-0x0000000003000000-0x000000000320C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2724-21-0x0000000003000000-0x000000000320C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2724-22-0x0000000003000000-0x000000000320C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2724-29-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2724-33-0x0000000003000000-0x000000000320C000-memory.dmp

    Filesize

    2.0MB

    Download