banload | c79f2f6cd70358a2df2382bcb191aa6f22ba0d17d547e1e2c4350d0546c9be24

Analysis

max time kernel
142s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/12/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CI3.exe
Size

2.4MB
MD5

7fc7d17fe99e96b403224b6d0363f6e8
SHA1

a892e59ccb3b95ad8e50ab8bcfa9925b92c219fe
SHA256

15c5e0826a4ec78ae00ccff64a3a63e365a6dfb2cd3efa87608e88ab45ec19cb
SHA512

9c3cfdbb3b93b61d9d38e65c9a1ab1da5bcbe6f428a6eebae53ea70fa1076c5996e9085a231cabe5c5cc1ca366880901f9c1f15a8cb8fcdc5f811f49323ffe8c
SSDEEP

49152:unEwQWnvUTHKW6NUUOnfPd5wydwdqWiK+l4/qB:unEAkKW6CUAfPSdZiK5/Q

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	CI3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	CI3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	CI3.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CI3.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\InprocServer32	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\InprocServer32\ThreadingModel = "Apartment"	CI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\ProgID	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\ProgID\ = "Microsoft.PhotoAcqDeviceSelectionDlg.1"	CI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\TypeLib	CI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\Version	CI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\ = "PhotoAcqDeviceSelectionDlg"	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\VersionIndependentProgID\ = "Microsoft.PhotoAcqDeviceSelectionDlg"	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\Version\ = "1.0"	CI3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\VersionIndependentProgID	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	CI3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E0E3262E-C9DE-13D1-BC03-0E8FF93EAE2B}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}"	CI3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1636	CI3.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1636	CI3.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1636	CI3.exe
Token: SeIncBasePriorityPrivilege	1636	CI3.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1636	CI3.exe
1636	CI3.exe
1636	CI3.exe
1636	CI3.exe
1636	CI3.exe
1636	CI3.exe

C:\Users\Admin\AppData\Local\Temp\CI3.exe
"C:\Users\Admin\AppData\Local\Temp\CI3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\InterAction studios\CI3\3.50iwn\CI3.cfg

Filesize
871B

MD5
888ef788e9638027cdb6eeb0332067d8

SHA1
41b6955f86dd527ab09ec481281e43247b9e52c6

SHA256
0d2888b864984e6f414451f7fdeb3c287d4584e8b1cdf62d4ca823c283f65eca

SHA512
2b1d9b9c2e5831cd6d16dae7c4c8ea763984bb63d9573fe2bd71f9ad5d54e510be88a4de976d8890c26a8282c6af794a1b3e9bc0af0fedcd9f89d7e1e3c91371

Download Submit
C:\ProgramData\InterAction studios\CI3\3.50iwn\CI3.cfg

Filesize
208B

MD5
37ea83fa6e0a1fa5621a6c2e953549df

SHA1
874b3e119a5b4a1d03d9968e47677971f12365e2

SHA256
9e19236238816fc9f1f07b4de924a1487910720311eb714c4b67a41881aba735

SHA512
93046260daf53c79e11eff5677fcee4ba33ea3f4f28209172829c7337ae5524b3678f40409fbdb0f6129060829d302ab665ba1ac7d3b26050f4c0ccde514a45f

Download Submit
C:\ProgramData\InterAction studios\CI3\3.50iwn\CI3.cfg

Filesize
789B

MD5
26be4faf384b28cd3c4f137ca1b3fba1

SHA1
c006bb214d16cd4fd041a71a9b4c8be0bce91ed1

SHA256
10e140f4b5a1fcb3411ab1c30c91611c9a89e0bc41c5c1118e7dd666e3bba798

SHA512
cc5fb447c210632d4119fefc5e4fbbebe6327fa79fdbcb56e9f002b4410e8b2ece7432a7637690f046fdbf3653840f2d6c1545872bc8c0f532993cdbe5bece8d

Download Submit
C:\ProgramData\InterAction studios\CI3\3.50iwn\CI3.cfg

Filesize
841B

MD5
7578973bd9ff088c211d5014b730a16c

SHA1
d9ba76c07fdf1f6452ea86b3a748d65e4bccb21a

SHA256
c7ec425954cffb9fa8bd71861b67eb051a662ce4d504a64683499c4f9d99874c

SHA512
0300874244c7defac70d09208daebdd0bf0c24eda6ce29e581a38d0caa0dc0a8006d06cd51f6e69b40d845672dc34bd5d4d30911a3e08daabc12ae0987963f06

Download Submit
memory/1636-121-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-126-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-14-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-16-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-15-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-17-0x0000000002800000-0x0000000002A00000-memory.dmp

Filesize
2.0MB

Download
memory/1636-13-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-11-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-7-0x0000000002800000-0x0000000002A00000-memory.dmp

Filesize
2.0MB

Download
memory/1636-93-0x0000000002800000-0x0000000002A00000-memory.dmp

Filesize
2.0MB

Download
memory/1636-5-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-115-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-118-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-117-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-116-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-120-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-119-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-122-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-0-0x0000000002800000-0x0000000002A00000-memory.dmp

Filesize
2.0MB

Download
memory/1636-124-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-10-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-125-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-123-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-128-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-127-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-130-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-129-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-132-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-131-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-134-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-133-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-136-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-135-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-138-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-137-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-140-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-139-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-142-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-141-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download
memory/1636-144-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/1636-143-0x0000000000400000-0x0000000000841000-memory.dmp

Filesize
4.3MB

Download