banload | 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Size

3.9MB
MD5

3bb190f592366f7550d892609267b217
SHA1

1aa182b79728e3689ab16939fd536385276eecc1
SHA256

1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7
SHA512

9598d6959ed9fa9905c045117481658f55f0c98182b1de3c6dc91037102c8b6d138d33bb1ebf13bb940a9c158997f5e4dc7329a4b0581633b2485ccb82eec99e
SSDEEP

98304:RF8QUitE4iLqaPWGnEv+OKQr8MAvFripiP:RFQWEPnPBnEmOKIbGr

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe

Renames multiple (222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_altgr.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\msinfo32.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPOBJS.DLL.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Csi.dll.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\7zG.exe.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\AttributeMask = "0xffffffff"	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\DropEffect = "0x2"	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\DefaultOverlayIcon = "%SystemRoot%\\SysWow64\\imageres.dll,-169"	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Staging ShellFolder for CD Burning"	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\Location = "@shell32.dll,-12590"	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\Attributes = "0x8000"	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1644	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
Token: SeIncBasePriorityPrivilege	1644	1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe

C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
"C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp

Filesize
4.0MB

MD5
f99d955e2cff0d730e02b952fc2a7766

SHA1
137956d0aae6fda9e8696da147c56ef5f0e3c3e2

SHA256
a7c9c8b6464c4a530f7c8368616ed382685af2d3e4cbebb0cab19c3b73a34621

SHA512
ac1c2a0ca8c7f98469950a71af86b7ea1718baa6e98b0b50be4516ec1d7517c8a41e81cab3433841f28f1795d52bfa2bf153ad0b71532e814082c40ede0f5536

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
4.0MB

MD5
775c9dddb951759d597f46494b06d0b9

SHA1
5c4ca3a842cf1fc7007dba7a674b6add93f8ba9b

SHA256
33d1e6308caff720bedcfc28adee7e7695e9fe06cf6ccda43a89e5b046a1089c

SHA512
9d982db93ceaddb5091ee704d0a614424702af1798271f91f4eb520e8421d4b73a2f36212252b840186256a6603bd112fc9d1ad8286bd19bf82cd3dba13f4229

Download Submit
memory/1644-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1644-1-0x0000000002F30000-0x000000000313C000-memory.dmp

Filesize
2.0MB

Download
memory/1644-8-0x0000000002F30000-0x000000000313C000-memory.dmp

Filesize
2.0MB

Download
memory/1644-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1644-13-0x0000000002F30000-0x000000000313C000-memory.dmp

Filesize
2.0MB

Download
memory/1644-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1644-25-0x0000000002F30000-0x000000000313C000-memory.dmp

Filesize
2.0MB

Download
memory/1644-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1644-45-0x0000000002F30000-0x000000000313C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads