banload | 871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845

Resubmissions

27-12-2024 19:40

241227-ydma1symep 10

27-12-2024 19:36

241227-yblayaykfy 10

Analysis

max time kernel
60s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Size

3.9MB
MD5

415fdd816519e04471cdb6e54f7e7f95
SHA1

94b06d48ec16ac9411433624d5aa8eb98973c7d3
SHA256

871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845
SHA512

d7ff3e9a834ccde1f7e44268533dc42abc6af4b933e39c8ba6f2406975a4e6a8c60161e5a4b529fdcf87213b05827bc3b1789b65b977c8791151acc769e91d9a
SSDEEP

98304:RF8QUitE4iLqaPWGnEvK7RkOEEo+A7mOkO:RFQWEPnPBnEX3

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe

Renames multiple (175) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\pt.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ku-ckb.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\io.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe

Modifies registry class 13 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "SAPI.SpShortcut.1"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "SAPI.SpShortcut"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "SpShortcut Class"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "5.4"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}"	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2556	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
Token: SeIncBasePriorityPrivilege	2556	871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe

C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
"C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

Filesize
4.0MB

MD5
133ddefa9649d34a4d0b7c2aed1aa7a4

SHA1
cc8c75ec851ac3c9618b5d6b43acf34216a152f5

SHA256
bdfa57d098b5166f1b3e6af183ae933b80509e16899439310402b0a6906fad63

SHA512
de35690291700685f3ce397cc69aed841c80174a9e70018d78e59bf688d0d459ca05a13d3e710db50b5cbc2b03e41a8812fce7c1eaadf1da0a2e233ffbcd3514

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
4.0MB

MD5
83bec0edcf2708fc3e4e865aca1b7b0d

SHA1
e10831088b7e242e7228b49e8dd1358847a8850e

SHA256
92a391c490b6cb7155021cb0e3e6f0d0a3ff7853b5c4e362ee6fa67dd9cf4b94

SHA512
6915a594f9f5c731d0c19f49aa2b860c4663afc861bcb690f83770d38802669e8cd6613fb1a9478422aaa93565d75da158457a6c1ea30650a36652b23f60a36d

Download Submit
memory/2556-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2556-1-0x00000000030A0000-0x00000000032AC000-memory.dmp

Filesize
2.0MB

Download
memory/2556-8-0x00000000030A0000-0x00000000032AC000-memory.dmp

Filesize
2.0MB

Download
memory/2556-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2556-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2556-13-0x00000000030A0000-0x00000000032AC000-memory.dmp

Filesize
2.0MB

Download
memory/2556-25-0x00000000030A0000-0x00000000032AC000-memory.dmp

Filesize
2.0MB

Download
memory/2556-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2556-45-0x00000000030A0000-0x00000000032AC000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads