banload | 481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734d

Resubmissions

19/12/2024, 22:13

241219-1472hs1nds 10

19/12/2024, 21:43

241219-1kzwss1maj 10

Analysis

max time kernel
120s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 21:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
Size

2.4MB
MD5

0850fb73ac5cf974c11c0a78f2cc0a80
SHA1

f05cc0495fe2a239c76625e6be51f3d52fdcdea2
SHA256

481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734d
SHA512

30dae41f217a94117d67a4a8c782386cd8cb892ce4d0f05e4d9afcab1b9427d3ce3675e411fda2b032d74a38c1fa50f7659b2a8c0580fc78e3945292a3215fa9
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEv3olj3:RF8QUitE4iLqaPWGnEvY

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe

Renames multiple (664) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-processthreads-l1-1-1.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ServiceModel.Web.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Formats.Tar.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebProxy.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\Ole DB\it-IT\sqlxmlx.rll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.Primitives.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\ShapeCollector.exe.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-string-l1-1-0.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\rtscom.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.NonGeneric.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.AccessControl.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\rtscom.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Numerics.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.Lightweight.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Primitives.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Immutable.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.SecureString.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\msquic.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-1-0.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\Windows.UI.Immersive.dll"	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment"	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2144	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
Token: SeIncBasePriorityPrivilege	2144	481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe

C:\Users\Admin\AppData\Local\Temp\481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe
"C:\Users\Admin\AppData\Local\Temp\481f49f44f47d75a777518e1c5b0523e28ee7b1eae03ad284f9d68ad7164734dN.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

Filesize
2.6MB

MD5
22112b6de0ccf7af06861b8bee456a28

SHA1
35d251401f7439dfe4b3dc325c4bea45fa79fdeb

SHA256
346a5b7468ddf544da9f78bb36b4c6627147b6028d0c50889443feee9c21eee6

SHA512
1d8f704db213177f6e799592751a105a01bd0e9312293a6bbe584ac08fb90fa3a84f3f35d18d13b8ac9edb8cabea10f721260873991f1d376964009742c316bf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
2.7MB

MD5
4fb6ed4ccc025b6b438efc04d82a7593

SHA1
02f5a2126d9a8dd11812019dd468e958196a8695

SHA256
aa1aa4420c16bdb4f7894d20b9c1ad6cd62f4f6d109430d7b4679aec38e4ef1a

SHA512
989b3cdf1455ebe736be9c776db0a141d3c0387a49e379f907d9d408f351e4e6265a0d0fe7de8d3cd865afe727aaae7621957c7ce1fdb592f831062e77924846

Download Submit
memory/2144-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2144-2-0x0000000004850000-0x0000000004A5C000-memory.dmp

Filesize
2.0MB

Download
memory/2144-9-0x0000000004850000-0x0000000004A5C000-memory.dmp

Filesize
2.0MB

Download
memory/2144-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2144-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2144-14-0x0000000004850000-0x0000000004A5C000-memory.dmp

Filesize
2.0MB

Download
memory/2144-50-0x0000000004850000-0x0000000004A5C000-memory.dmp

Filesize
2.0MB

Download
memory/2144-51-0x0000000004850000-0x0000000004A5C000-memory.dmp

Filesize
2.0MB

Download
memory/2144-142-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2144-161-0x0000000004850000-0x0000000004A5C000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads