banload | 996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535

Analysis

max time kernel
60s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Size

3.5MB
MD5

12d9b6e676211158f5a0f0352f108087
SHA1

6d7d4fccd243430580ff1c0150037b8a99a12937
SHA256

996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535
SHA512

2bfc9e85ef842b2b649ea61f18af140682aefe2111273507a1730b917704dd1934895296d7c9045865114e292691c7e5c9b107677a7892883412e9942b88c54d
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVPYOKQrgCGMxu3fFne4j4ZXum7Y:RF8QUitE4iLqaPWGnEv+OKQr8MAvFrMY

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

Renames multiple (184) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7z.exe.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\el.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ms.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\es.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ga.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\sr-spl.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Schema Migration Plugin"	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\propsys.dll"	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment"	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2092	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
Token: SeIncBasePriorityPrivilege	2092	996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe

C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe
"C:\Users\Admin\AppData\Local\Temp\996f0d21dc51c9079500382e1323af4588b3f7e0e0559d35a9ea3c16ee410535.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp

Filesize
3.7MB

MD5
ae7bb55c57aff6c63d1b6f2e59679927

SHA1
0ce67d0556373aef5727cd491538beb314448b69

SHA256
8ad5372a233d470c25e414ae7f4967b4b7498b246bc08a7e55b1ad5cc710234b

SHA512
247b5824bb4cf62daff53bc21e3d7d19e874bc1053447902fc32cbb55a1f5bafa45a8e310273b12908f158891ff69980a49487df1511bd8d4cd6d14c8eec7426

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
3.7MB

MD5
ac758f570c442d992995cdac9f1ceee8

SHA1
3636249af95ae144441a8a79a14d6ea3075fd8ca

SHA256
b11b8f56cb399af9d8d436818aadbda5b72b1cfebaa8faf05b5ad6f3e6e6ba2d

SHA512
9d441c2f89868685ad5b9595caca803681c7a46c0cd68386817012e802bb61f9ecbcc6337951a8a89ef48826ae0b44ffb4e0e368aa55096854e6f3e911625161

Download Submit
memory/2092-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2092-1-0x0000000003160000-0x000000000336C000-memory.dmp

Filesize
2.0MB

Download
memory/2092-8-0x0000000003160000-0x000000000336C000-memory.dmp

Filesize
2.0MB

Download
memory/2092-7-0x0000000003160000-0x000000000336C000-memory.dmp

Filesize
2.0MB

Download
memory/2092-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2092-13-0x0000000003160000-0x000000000336C000-memory.dmp

Filesize
2.0MB

Download
memory/2092-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2092-25-0x0000000003160000-0x000000000336C000-memory.dmp

Filesize
2.0MB

Download
memory/2092-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2092-45-0x0000000003160000-0x000000000336C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads