Malware Analysis Report

2025-01-22 23:09

Sample ID 241227-x5nsgsyjhw
Target 8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96
SHA256 8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96

Threat Level: Known bad

The file 8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (220) files with added filename extension

Renames multiple (124) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:26

Reported

2024-12-27 19:27

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Renames multiple (220) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\License.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\io.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ko.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\mk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\CloseUnregister.wmv.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\kk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ku.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\is.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\nb.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ro.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.WorkbookClass" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0 C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Excel.WorkbookClass" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe

"C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4648-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4648-2-0x0000000004A30000-0x0000000004C3C000-memory.dmp

memory/4648-9-0x0000000004A30000-0x0000000004C3C000-memory.dmp

memory/4648-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4648-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4648-14-0x0000000004A30000-0x0000000004C3C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp

MD5 d0d5021e8c0ddd6152df79213e2b6ac8
SHA1 125cf6e04654443704852d9f07061c01251f3488
SHA256 48cbc8c870e4e9c061bf523140bbfda9d62bf0f9e9bda1a10df1f2d50f57c0f4
SHA512 449c6ceb1c84bb149952e8133f4919b368340a0a3f15ac14d123447c01595f6101918c7de61fb2928b561ce1f78cc7d430ac8fb14a20a8693f136a88a580d22e

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 6f2c4c976410a60b9bb7e64eef55e359
SHA1 5facfb3e7b30ea0e2b6dd46dbb0b8ec5403efda7
SHA256 a7c604bff5371cd15c7d85a40984f538dc08c93cedd6bd0b9bbc0cbb6a25a39e
SHA512 b34f97dbcec4640292d293ca6dc2b35bf8f80e184bbd04a486f9cd6aadb38eef6dfa9c1a6e4e7e6db7daab7b612fb2e7135dd602f2ba4d26640d59f87a59e23e

memory/4648-32-0x0000000004A30000-0x0000000004C3C000-memory.dmp

memory/4648-33-0x0000000004A30000-0x0000000004C3C000-memory.dmp

memory/4648-74-0x0000000000400000-0x0000000000616000-memory.dmp

memory/4648-86-0x0000000004A30000-0x0000000004C3C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:26

Reported

2024-12-27 19:27

Platform

win7-20240903-en

Max time kernel

60s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Renames multiple (124) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\de.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\eu.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\da.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\es.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ext.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ast.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\bg.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\et.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\cy.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\en.ttt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\af.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\az.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\fi.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7z.sfx.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\br.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\ca.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7zCon.sfx.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\eo.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\History.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.OLEObjectClass" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Excel.OLEObjectClass" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe

"C:\Users\Admin\AppData\Local\Temp\8b1366a7c04bd00cb75d51c4d944005b7c63eb985f9d9a94f83bcc6494b25c96.exe"

Network

N/A

Files

memory/1996-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1996-1-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1996-8-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1996-11-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1996-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1996-13-0x00000000030A0000-0x00000000032AC000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp

MD5 8923e5dfa1dd2303e3bece9da71757e7
SHA1 10d2c8b745e76177513e9b5594f0f59ba3bd8429
SHA256 677a4a293ad27cfa3ae5318bd90437c2e08eb50afb4c4c1b2c0a493c73e121a9
SHA512 b02b16c679191f350648cf93fb6b18fdde277d495e1eb01996ef5fd9ff43f44c3ff7f6860438d1ce509408e02180325fbf7313c4ad732eda7d3d2b24d9b70b01

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 37b19ae6bad2f076fda620815a058d6a
SHA1 978f450517abf45eb2db3a5ee4e352c1cc431a17
SHA256 3745172b6d084b1c17d3a3d7b279f550881b8ef6dc436c5edeb44b4ba6ef58af
SHA512 ab84e421b9c99980a1e85b92989f48e21159ae206dd12196320c198d913cf1c009d94464b4dedf9f85de8acf8ff9b3ba72f87b632689e43c6922df365abbea4f

memory/1996-25-0x00000000030A0000-0x00000000032AC000-memory.dmp

memory/1996-39-0x0000000000400000-0x0000000000616000-memory.dmp

memory/1996-43-0x00000000030A0000-0x00000000032AC000-memory.dmp