Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/12/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Resource
win10v2004-20241007-en
General
-
Target
b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
-
Size
2.3MB
-
MD5
c614d31ed168c52e463ccfa182cc0c52
-
SHA1
cd9ecc6b4dbb93639ccac6f6437c95d6dbe2804f
-
SHA256
b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058
-
SHA512
8f2029b595811e4f965b2fe88e7c5e889a1e61bdec08f739e2b974670237f5a92054b8e5a8b3016f5be4d1b6d4136711d9b2b10727c2218644fc7b573ae9f861
-
SSDEEP
49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEv3xP:RF8QUitE4iLqaPWGnEvZ
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe -
Renames multiple (698) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\kk.txt.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\msadc\msadco.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-locale-l1-1-0.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Buffers.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\7-Zip\Lang\fy.txt.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\7-Zip\Lang\ro.txt.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Cng.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\ado\ja-JP\msader15.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\ado\msador15.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.IsolatedStorage.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\7-Zip\7-zip32.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\CompareSwitch.pptx.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsel.xml.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Memory.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.Primitives.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\msadc\msadce.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\Content.xml.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tabskb.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrdeusymnn.dat.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\ja-JP\wab32res.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.Encoding.CodePages.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\msadc\fr-FR\msdaremr.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-libraryloader-l1-1-0.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\mscorlib.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\pt-BR\tipresx.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Claims.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.Lightweight.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.Writer.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\ClearConfirm.jpe.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipTsf.dll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll.tmp b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe -
Modifies registry class 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "TraceSessionCollection" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.TraceSessionCollection" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.TraceSessionCollection.1" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2452 b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe Token: SeIncBasePriorityPrivilege 2452 b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5f847a9fea8d1cfad5a48e0acacd01c5e
SHA16e3a0ec1710eb96f48e46fc270134d904adab49a
SHA2569781eb9463fc1e3b94ae1f369e71758ae9b3533a867c58bee0f7f8075ba4cec9
SHA51271b51dff854915c44a91d8396f552411e4fb3d5aae7d1ab13f585a9761eef22ea0ef34c149fa61d3b6c1f38d5e938d62955f02849d66644c257e1a350b37dc40
-
Filesize
2.5MB
MD53200aed53b6a1df1b86fd95a8ff98e98
SHA17aee91fb73a69cbe61ab0160ee8fc11ade445aea
SHA256e3f837a1d6261902f49da6b3546dfe81055a217c6dc41c7882eaddbb64772081
SHA512303d337e458c67d04f97d6ef913c92469fe89e4baadec044a5b722c5542ef4fbaa9934ddee2543cef0e6eaa4451c1048960ef28789b9eafa7bb369ea1aebb9be