banload | 73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2

Analysis

max time kernel
59s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Size

6.5MB
MD5

c92d7a2fac3a4e82d3c44a7105b2b36e
SHA1

cd3ee7e3072fd3a34db3cc486dc060675d7d31b5
SHA256

73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2
SHA512

006cc7cc74ac097fa18e6585bb77729977cece28ea8950c3c29b4f2604632009fc0f425f9fcb91109494bd668b00404c013bae035f45d4b5e491f6f44ad775fd
SSDEEP

98304:RF8QUitE4iLqaPWGnEv7/IJsiC5sop7cTx:RFQWEPnPBnEAsiC592Tx

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\BackupResize.jpeg.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\License.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\tk.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\hy.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\sl.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\hi.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\ClearImport.dot.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\mr.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\hr.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\fi.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Remove Properties Drop Target"	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment"	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4972	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
Token: SeIncBasePriorityPrivilege	4972	73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe

C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe
"C:\Users\Admin\AppData\Local\Temp\73aa60a6934a503658c4f7df4ba463ac1fc1dbddce00dd9dfe9e8ddfb6e8fbe2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp

Filesize
6.6MB

MD5
0a03cf2a455303c7d33033a9d3a47693

SHA1
10d50c458104c79d097c6ae0ae0b82b5cb68d856

SHA256
fddb447f37f4296193051e80008bd6dabb15eb74c8f8baadd63ec7bd501b818c

SHA512
138caed2f36de7af15cce738b425765457e67939b41290b022161caffed498d666abd2746081a39d16344ed4b73c309d78c316b5a5ad84264ed75d9e7ef26da8

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
6.7MB

MD5
a65b9157ee26267160a1a93e219a9877

SHA1
6c9282f382cf959c751fda3b0ce3116f3499ec18

SHA256
8afcb614704cab1a918a62ee99c9f8be5be9e32c23deb944a10a1df87eb3c564

SHA512
a74bdc2bea05cdb7f72f3d955b96ad932b98ebd8ccdcb25f511b72b762f813026b4ecf3e8f79a4e61a35b46418439198fbadff7e16732cbe83d8134cc1befb0f

Download Submit
memory/4972-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4972-2-0x0000000004430000-0x000000000463C000-memory.dmp

Filesize
2.0MB

Download
memory/4972-9-0x0000000004430000-0x000000000463C000-memory.dmp

Filesize
2.0MB

Download
memory/4972-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4972-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4972-14-0x0000000004430000-0x000000000463C000-memory.dmp

Filesize
2.0MB

Download
memory/4972-34-0x0000000004430000-0x000000000463C000-memory.dmp

Filesize
2.0MB

Download
memory/4972-35-0x0000000004430000-0x000000000463C000-memory.dmp

Filesize
2.0MB

Download
memory/4972-80-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4972-88-0x0000000004430000-0x000000000463C000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads