Malware Analysis Report

2025-01-22 23:08

Sample ID 241227-x825aaykdv
Target 887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043
SHA256 887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043
Tags
banload discovery downloader dropper evasion ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043

Threat Level: Known bad

The file 887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043 was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion ransomware trojan

Banload

Banload family

Renames multiple (220) files with added filename extension

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Renames multiple (197) files with added filename extension

Checks BIOS information in registry

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-27 19:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-27 19:32

Reported

2024-12-27 19:33

Platform

win7-20240729-en

Max time kernel

60s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Renames multiple (197) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\gu.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\sq.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ba.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\fy.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ar.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\pt-br.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mshwLatin.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\sv.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\descript.ion.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\fa.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\uz.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\yo.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\th.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\uk.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ga.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7-zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\an.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ka.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\tk.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7z.exe.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\hr.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\vi.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\sl.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\CloseImport.mp3.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7zG.exe.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\mr.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ru.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\tg.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\gl.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "User Account Control Settings" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{06C792F8-6212-4F39-BF70-E8C0AC965C23}" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@%SystemRoot%\\system32\\UserAccountControlSettings.dll,-70" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\UserAccountControlSettings.dll" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

"C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe"

Network

N/A

Files

memory/2720-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2720-1-0x0000000003510000-0x000000000371C000-memory.dmp

memory/2720-8-0x0000000003510000-0x000000000371C000-memory.dmp

memory/2720-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2720-13-0x0000000003510000-0x000000000371C000-memory.dmp

memory/2720-11-0x0000000000400000-0x0000000000616000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp

MD5 e63ed705f264625cd6f176a9c3965e15
SHA1 ea22ae708813122f7cfd59e60ecd3848d25c1f85
SHA256 7a8aed6ef262ecdc147167cbe8661ffed1153efed91437be6d2dcc6abcaead5f
SHA512 d43890e3f16dc3aaa1be618e0311bf7923285b83ea8453e67db17840a204313ed8042dd73043a5c7a8e95dab9ade78a3bd29d86f13b4db5cdc7dcdfcab9f4aa5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 f265320e53519eae457814716d3b7c59
SHA1 9fbe1156ba53ed7441b4ebe70f031106cbf31682
SHA256 f00ee8b8d9a63f0e05fec50bea0892a81b6a0c457ffef6e72f5ce9673300006b
SHA512 945041254c9dd5873d4991cff5c7ca3b0a7f54762a9dab483d1815ca8e55250bd151b319d7dd78e415c33953ddd1ede450b6f41f2c0807ee17848dc9c758eaba

memory/2720-25-0x0000000003510000-0x000000000371C000-memory.dmp

memory/2720-43-0x0000000000400000-0x0000000000616000-memory.dmp

memory/2720-53-0x0000000003510000-0x000000000371C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-27 19:32

Reported

2024-12-27 19:33

Platform

win10v2004-20241007-en

Max time kernel

60s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe"

Signatures

Banload

trojan dropper downloader banload

Banload family

banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Renames multiple (220) files with added filename extension

ransomware

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrenclm.dat.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\fr.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\lt.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\ShapeCollector.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ta.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\it-IT\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\bn.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\el.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\hi.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\kaa.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\TabIpsps.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7-zip32.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ne.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\ky.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hwrusash.dat.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\cs.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-US\TipRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\be.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\va.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\it.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7-zip.chm.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\co.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7z.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\fur.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-dayi.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ru-RU\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\hu.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\Lang\si.txt.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InputPersonalization.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-changjei.xml.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe.tmp C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "OneDriveCloudManagement" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\OneDriveSettingSyncProvider.dll" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe

"C:\Users\Admin\AppData\Local\Temp\887f0528dca25cf05bcbb854c1ddda8534c64291512f40a17b03ec8faedf6043.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp

Files

memory/3580-0-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3580-2-0x0000000004880000-0x0000000004A8C000-memory.dmp

memory/3580-9-0x0000000004880000-0x0000000004A8C000-memory.dmp

memory/3580-12-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3580-13-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3580-14-0x0000000004880000-0x0000000004A8C000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

MD5 022c0f640cd59295540c4739f394f762
SHA1 3edc2e28273b3e330e17bbd02a29aeaa48020933
SHA256 a6d458b763c1f923eda01165a7c5fec22204ba322cdddc2f2bb92ffed4e56b5b
SHA512 6ad6261ac21c28550382d919f4c0992fa3a82a25ebe0836ec6e7da57345325fcd8cd08e4333237e4ac5849e0bdb3aaddffd1aa49558870fd70c62392b5db1782

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 ce01e1d86c8b489067f08c3091a68ca4
SHA1 0d30d4a7a1b77c86aa12f7e89c49d174ee8f79a3
SHA256 bf81713329da24611a9dccedcc9ea0f466728bf8b509d8f1c3abb293d9320b9e
SHA512 7f64bcf4d76404a8de54014d924d7fac86de43344c5c6c3c4d00139961e2d223fe2a83ec6f8835dd182963467606475140cf3ceaed7f18968e74910d47d8e5e3

memory/3580-54-0x0000000004880000-0x0000000004A8C000-memory.dmp

memory/3580-55-0x0000000004880000-0x0000000004A8C000-memory.dmp

memory/3580-146-0x0000000000400000-0x0000000000616000-memory.dmp

memory/3580-168-0x0000000004880000-0x0000000004A8C000-memory.dmp