Overview

overview

10

Static

static

3

8d8fceab65...8d.exe

windows10-ltsc 2021-x64

10

Resubmissions

27-12-2024 19:21

241227-x258csykgr 10

27-12-2024 19:21

241227-x2vrmaykgm 10

Analysis

  • max time kernel
    47s
  • max time network
    33s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    27-12-2024 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe

  • Size

    4.0MB

  • MD5

    b8f4d3e558f7069b5020f7024e6480b3

  • SHA1

    49da493a24e179fac1c0217577966c9af42954b7

  • SHA256

    8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d

  • SHA512

    21e88209d4059a3135e81d7b403806f26266548522b06123192f4df15cb72d1896d3801cd35581d2b9e92d76df61e606fca2f46a0a4fd30afc8f869f0b63223d

  • SSDEEP

    98304:RF8QUitE4iLqaPWGnEv+OKQr8MAvFrpHv/kAZIlnHyA:RFQWEPnPBnEmOKIbGpPMAZcyA

Score
10/10
banloaddiscoverydownloaderdropperevasionransomwaretrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Banload family
    banload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (221) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe
    "C:\Users\Admin\AppData\Local\Temp\8d8fceab6594860d035438ce97bfc7a0401bbece8604e9a84c0fa7beea16828d.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:384
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2604

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\S-1-5-21-1669812756-2240353048-2660728061-1000\desktop.ini.tmp
      Filesize

      4.1MB

      MD5

      38de2f2f1ff31888f3bef0b401cb429d

      SHA1

      56b07d117c8742515f27bcea656ed747ea84847f

      SHA256

      50a9900c8d3ce4d47fba17e3a9e2ce36157e94a8a4d8ebddb5d7eb40d1c70185

      SHA512

      bac433ce02ea9ef9b0c5dd7d2b98bf58d2dff32f0ffd953e595ff461a9f6d8a68190b36d3d082ea51e14919473e1c1eca691670ba736fa105c69caa6292a794f

      Download Submit

    • C:\Program Files\7-Zip\7-zip.chm.tmp
      Filesize

      4.2MB

      MD5

      cb95cbab8a25d4dd80893bb1d5d47642

      SHA1

      fb3a106b8ff641ad54de0701891629e4c5f54f93

      SHA256

      a8268372b6d8a1f7b056fb56d17d74027b712f2be0bb9dfa0d230dc772b9c4e6

      SHA512

      dd3b26696f25449d076cc7d0c52cda0b32e9ec815c00306d989d3f64754820768e61363759f382b637a60d9ee12180ad14327d085d6982fe7bfbcbad09f8184b

      Download Submit

    • memory/384-0-0x0000000000400000-0x0000000000616000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/384-2-0x0000000005330000-0x000000000553C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/384-9-0x0000000005330000-0x000000000553C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/384-12-0x0000000000400000-0x0000000000616000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/384-13-0x0000000000400000-0x0000000000616000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/384-14-0x0000000005330000-0x000000000553C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/384-40-0x0000000005330000-0x000000000553C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/384-41-0x0000000005330000-0x000000000553C000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/384-106-0x0000000000400000-0x0000000000616000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/384-118-0x0000000005330000-0x000000000553C000-memory.dmp

      Filesize

      2.0MB

      Download