banload | 887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043

Analysis

max time kernel
60s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Size

2.7MB
MD5

c294f1ac5ea51f14e316b83fa02310aa
SHA1

c5dc47f6b58abad884276e286e408623d1cc18f9
SHA256

887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043
SHA512

fa869468a8f05efc072e529ec0402298fffac601637ad54aaa4733b8646b43b902a29c27b07a0e97fc9cd0e67f4e977e7d0c83dfe22bebb37acd490c14fc2ec0
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVSTXARrP/WH5/:RF8QUitE4iLqaPWGnEvfWHp

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "OneDriveCloudManagement"	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\OneDriveSettingSyncProvider.dll"	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both"	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3580	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
Token: SeIncBasePriorityPrivilege	3580	887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe
"C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
2.8MB

MD5
022c0f640cd59295540c4739f394f762

SHA1
3edc2e28273b3e330e17bbd02a29aeaa48020933

SHA256
a6d458b763c1f923eda01165a7c5fec22204ba322cdddc2f2bb92ffed4e56b5b

SHA512
6ad6261ac21c28550382d919f4c0992fa3a82a25ebe0836ec6e7da57345325fcd8cd08e4333237e4ac5849e0bdb3aaddffd1aa49558870fd70c62392b5db1782

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
2.9MB

MD5
ce01e1d86c8b489067f08c3091a68ca4

SHA1
0d30d4a7a1b77c86aa12f7e89c49d174ee8f79a3

SHA256
bf81713329da24611a9dccedcc9ea0f466728bf8b509d8f1c3abb293d9320b9e

SHA512
7f64bcf4d76404a8de54014d924d7fac86de43344c5c6c3c4d00139961e2d223fe2a83ec6f8835dd182963467606475140cf3ceaed7f18968e74910d47d8e5e3

Download Submit
memory/3580-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/3580-2-0x0000000004880000-0x0000000004A8C000-memory.dmp

Filesize
2.0MB

Download
memory/3580-9-0x0000000004880000-0x0000000004A8C000-memory.dmp

Filesize
2.0MB

Download
memory/3580-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/3580-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/3580-14-0x0000000004880000-0x0000000004A8C000-memory.dmp

Filesize
2.0MB

Download
memory/3580-54-0x0000000004880000-0x0000000004A8C000-memory.dmp

Filesize
2.0MB

Download
memory/3580-55-0x0000000004880000-0x0000000004A8C000-memory.dmp

Filesize
2.0MB

Download
memory/3580-146-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/3580-168-0x0000000004880000-0x0000000004A8C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads