banload | 7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648

Analysis

max time kernel
60s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Size

3.2MB
MD5

aee6538b49f6df458d082a04208d46c4
SHA1

a98bdbc68cf2e9e2baaea4f69298b48f89bf7ab2
SHA256

7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648
SHA512

a9860d21abd2bb7289cc7af0b0b577fa19eeb41016dcf26d855d7475e78d1e8fc315a96d03f1bb69261a7ee20ecf76721ee0a474948a5aa5556c44e6b6399c79
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVPYOKQrgCGMxu3fFne4j4ZO:RF8QUitE4iLqaPWGnEv+OKQr8MAvFrt

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe

Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_kor.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\pa-in.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TipTsf.dll.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\InputPersonalization.exe.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TabTip.exe.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeulm.dat.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hu-HU\tipresx.dll.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrcommonlm.dat.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\mshwLatin.dll.mui.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsptb.xml.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment"	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "ADODB.Stream"	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll"	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "ADODB.Stream.6.0"	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ADODB.Stream"	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4876	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
Token: SeIncBasePriorityPrivilege	4876	7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe

C:\Users\Admin\AppData\Local\Temp\7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe
"C:\Users\Admin\AppData\Local\Temp\7afad58b919f5fa0b7c937744b09f3013d30c8dd538f35d07e83ff62574cf648.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp

Filesize
3.3MB

MD5
798946f88be2d7f0434c539a52b2bc9e

SHA1
47d01e5dcb5ac6ffa341d965b07d923cb96c65c4

SHA256
0565f5794da70243716a7ab3fee53d63f4d08159d56da845d482018f37b55629

SHA512
7a52944e1ae9727611949f896eebb3f9b09cd60cd942166c5077022930b3d8fc2bc855e5e05e7f0683b3cf6ff22743b20749eaa6fabe8eaf5430e5770539e89f

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
3.4MB

MD5
ef3f826a5c3b4877495cdd9ce8687f7f

SHA1
d0c221fb1ac8e9087aa94331fdfd37ff57be721b

SHA256
9f8904d76d38cb9f064824f79464ee0bbd3d9917bdcaedd1ee8e703cfdd27c45

SHA512
380b483ea98efd57711c558c12db98400f735a3c2fb6e1f5f2e62e846e36f54e082a0ac648b0799dd305ade32e59f4f3458f9eaf8ac3fcc5edd38c2da85b5068

Download Submit
memory/4876-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4876-2-0x00000000047B0000-0x00000000049BC000-memory.dmp

Filesize
2.0MB

Download
memory/4876-9-0x00000000047B0000-0x00000000049BC000-memory.dmp

Filesize
2.0MB

Download
memory/4876-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4876-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4876-14-0x00000000047B0000-0x00000000049BC000-memory.dmp

Filesize
2.0MB

Download
memory/4876-46-0x00000000047B0000-0x00000000049BC000-memory.dmp

Filesize
2.0MB

Download
memory/4876-47-0x00000000047B0000-0x00000000049BC000-memory.dmp

Filesize
2.0MB

Download
memory/4876-132-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4876-146-0x00000000047B0000-0x00000000049BC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads