banload | b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Size

2.3MB
MD5

c614d31ed168c52e463ccfa182cc0c52
SHA1

cd9ecc6b4dbb93639ccac6f6437c95d6dbe2804f
SHA256

b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058
SHA512

8f2029b595811e4f965b2fe88e7c5e889a1e61bdec08f739e2b974670237f5a92054b8e5a8b3016f5be4d1b6d4136711d9b2b10727c2218644fc7b573ae9f861
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEv3xP:RF8QUitE4iLqaPWGnEvZ

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

Renames multiple (982) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.Extensions.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\desktop.ini.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.Expressions.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscorlib.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.ServicePoint.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Metadata.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Threading.Tasks.Dataflow.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\DisconnectReceive.dwg.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Extensions.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.DriveInfo.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Crashpad\metadata.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.AccessControl.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\WindowsBase.resources.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\Services\verisign.bmp.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\ado\msadomd.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.ILGeneration.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Principal.Windows.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-console-l1-1-0.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordaccore.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\ReachFramework.resources.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TipRes.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebClient.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.ReaderWriter.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaremr.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.FileSystem.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.CompilerServices.Unsafe.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Contracts.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Configuration.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscat.xml.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.Serialization.Json.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-convert-l1-1-0.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.Native.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdatl3.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Buffers.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mfc42u.dll"	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Picture Property Page"	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4744	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
Token: SeIncBasePriorityPrivilege	4744	b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe

C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
2.4MB

MD5
7c4b4546f09b7d3709ad4c0a412b1fbd

SHA1
ea7105a761bab4e925f33abb8c5778f61b9c8be4

SHA256
68d52ef92eebe4e98fbab289721dabb10de42cba99c47874909812a8c97cd238

SHA512
44e56d1a5f0e22b79246932108e74235239eca9e79ec493cb2490cb6b4dd8295ad1d6ec285ca13127085409123c3f432aec05fbaba73e7a55dc9634aeeb90d38

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
2.5MB

MD5
e4a84fd314b4d407b751e4c8d3a0d06d

SHA1
24e454ec8a63bd851aafc9f984349d6b05a0bf95

SHA256
7b46901d6d165021426cf8ae0bf9593af90a05570cb564f04a2934651a8ab64e

SHA512
f12f755d7f96b979763d57d1f89a0134fd7491452aab8e5fd18e9aa07413e410948da43fd812e6ce7c9cbb443c1306024904350eb18377755e9325f53e20e47a

Download Submit
memory/4744-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4744-2-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Filesize
2.0MB

Download
memory/4744-9-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Filesize
2.0MB

Download
memory/4744-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4744-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4744-14-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Filesize
2.0MB

Download
memory/4744-60-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Filesize
2.0MB

Download
memory/4744-61-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Filesize
2.0MB

Download
memory/4744-176-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4744-200-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads