Analysis
-
max time kernel
60s -
max time network
39s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2024 19:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
60 seconds
Behavioral task
behavioral2
Sample
1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
60 seconds
General
-
Target
1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
-
Size
3.9MB
-
MD5
3bb190f592366f7550d892609267b217
-
SHA1
1aa182b79728e3689ab16939fd536385276eecc1
-
SHA256
1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7
-
SHA512
9598d6959ed9fa9905c045117481658f55f0c98182b1de3c6dc91037102c8b6d138d33bb1ebf13bb940a9c158997f5e4dc7329a4b0581633b2485ccb82eec99e
-
SSDEEP
98304:RF8QUitE4iLqaPWGnEv+OKQr8MAvFripiP:RFQWEPnPBnEmOKIbGr
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Banload family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe -
Renames multiple (221) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\ms.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Uninstall.exe.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\be.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\ru.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\it.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\ku.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\si.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\bg.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\gl.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\hu.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\pl.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\ea.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknavbase.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\fur.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\id.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\tipresx.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwritash.dat.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\InkDiv.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\ClearClose.bmp.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\hwrfralm.dat.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-CA\tipresx.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\dicjp.bin.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\io.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\tipresx.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipTsf.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\ba.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\7-Zip\Lang\sw.txt.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.tmp 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe -
Modifies registry class 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Microsoft.PhotoAcqOptionsDlg" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PhotoAcquireOptionsDialog" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Microsoft.PhotoAcqOptionsDlg.1" 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 2876 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe Token: SeIncBasePriorityPrivilege 2876 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD53b099f7e615c74160f5060e5c0e406df
SHA1204cfc3a2a9bb971d9200c2d51c3e3c9e20d182e
SHA256302943a89e3b029abce90004992e963ff39897d48c1a8e321e76b32ffca3c59d
SHA512e1ef6a409c95996b663b73c4b8ca58397117950c1bbd945a4d233e23e22c7df04e0533600cb93f08537b2031d6ce866cc0f1dea79c89b8a8e3ef5039dbe830ef
-
Filesize
4.1MB
MD574e9775918550a78aecb21484fdf8397
SHA14882b163284f2eb5c2248f247ef0edeb927fc9d8
SHA2568e1f1775bcb505e66705c663828f1b3bf8a65ec413c8459d1422ccb86826a6b4
SHA5124b015f580d1930568e694ee29d0fecdbec0d272b98eab91b0f889e2fb55c8c76932f33b48d81559c7205cfd45f5eb081cec6d23c16c9af9dcda7726a02cbe865