Overview

overview

10

Static

static

3

f8c41a4e42...8N.exe

windows7-x64

10

f8c41a4e42...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 19:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe

  • Size

    3.3MB

  • MD5

    5f2fbdca7682a3bbdcf63cb856224ee0

  • SHA1

    c26bf2b9c1686228ee7c27e03e4f4f068fa458d9

  • SHA256

    f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748

  • SHA512

    6d70c0853a3cf2487d85ae31a09e918fe6700d3777ff8672e6a2747113120dd132679ea912026f5fe61af4953fd05baf3f586ef0c8732db7c5bfd051479bd521

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEvSdsc0B18YhT8qM:RFQWEPnPBnEKd50P8YhT8t

Score
10/10
banloaddiscoverydownloaderdropperevasionransomwaretrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Banload family
    banload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (212) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe
    "C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp
    Filesize

    3.4MB

    MD5

    6e86b3b181c2bc1340cfba6f6bc26297

    SHA1

    2749157f15cdee266a847f7fa76de7c8c68a27a6

    SHA256

    e8e91b343d384a062c79fa266d860fe95ddd7f96a81a97821d59d37da228a648

    SHA512

    b2ec3dc6a3dd07ce08b188be41bffe642356b18f33bc79fc2ad5d1a44cba2ae021422f829a4812e61af10bbaa8be1061105290f4c2319ec9845f555e54823264

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
    Filesize

    3.4MB

    MD5

    a6d5bbf4ae957fe6f7e5a2d65f56b597

    SHA1

    cfdaf6a51d1bf1f5a5df582d82d8518a8a6c0012

    SHA256

    d5f017b9de88d91d75c882962b36cc80412d2c2d1156936a0787edfbeebbf620

    SHA512

    105c9d7df4fe15087e998be6131de0cd0eac39e1ae73166fd32dab7d62e5bf33993a1530f15ea5a40d3fed4a5f94791821b9bdf3a784439d02efd975cb600ac3

    Download Submit

  • memory/2688-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2688-1-0x0000000003490000-0x000000000369C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2688-8-0x0000000003490000-0x000000000369C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2688-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2688-13-0x0000000003490000-0x000000000369C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2688-11-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2688-25-0x0000000003490000-0x000000000369C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2688-26-0x0000000003490000-0x000000000369C000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2688-41-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2688-47-0x0000000003490000-0x000000000369C000-memory.dmp

    Filesize

    2.0MB

    Download