banload | fd4321374a63a1c7e3b38de206126fe029312da2c22e758a688c5dc1f6f6cf8d

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Size

13.3MB
MD5

be4a5b81976ca86d9073acf739533bd7
SHA1

e5c839b3238d27aa702633e72a8ad99925d1d24c
SHA256

fd4321374a63a1c7e3b38de206126fe029312da2c22e758a688c5dc1f6f6cf8d
SHA512

8bad167122923082a09d950d9a8214df355d6a208bf051f2bd90cf9727901df54ca142b592a6508065d4b42f4217a7e1f1028d949804c0f59dde31929340d0b6
SSDEEP

98304:RF8QUitE4iLqaPWGnEvK7RkOEEo+A7mOk3oaCVA7m2St29Ejzh9oEcx/R2qVIK4u:RFQWEPnPBnEXPELR8N3MKFBIHuM/Z

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

Renames multiple (219) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

Modifies registry class 5 IoCs

Processes:

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "New Shortcut Wizard Modal"	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\appwiz.cpl"	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment"	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

description	pid	Process
Token: 33	4852	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
Token: SeIncBasePriorityPrivilege	4852	2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-03_be4a5b81976ca86d9073acf739533bd7_hawkeye_hijackloader_jaff.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

Filesize
13.5MB

MD5
6560e3407e40fe1e4f4b1e07beae583d

SHA1
ed67a4e410b8ee0473f6b10c2e101c15b2002b74

SHA256
d97a9e4271265e653097ac7a6dbe1c97e35136a073b404f895858b33ececc752

SHA512
b5732c820754c9fc3b05a47a616bfd2336d741e1e7ff34fb313ab8b6649028ea1e9a9fa14b69a52bf9384175f48939b3b650a6b90e9989ea13a817dc1b1f5dbf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
13.6MB

MD5
5a638e7a934b03558de3e6dee0cb74ed

SHA1
3c9b4c8aa276a3155c566a61df6cca4202bd8f16

SHA256
02cc9fd724bd7c6cbd0f7a3920ec2414aa16a06a161bf1f176c1b5747e532ae8

SHA512
b042443e100172843dfbc2b4b8b366b2b1d808c82304bda2b4c4d1a19b8a4ed12f660318c236841652aaaf9f98429f9b05dfba896861b8cee078ef43c07f74d0

Download Submit
memory/4852-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4852-2-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/4852-9-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/4852-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4852-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4852-14-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/4852-23-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/4852-22-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/4852-42-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4852-48-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download