banload | 3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
Size

2.9MB
MD5

3b21836504ac26475c27dd76548b5d5c
SHA1

07512f4447927ed8b62ba59ca02edb773a83e885
SHA256

3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c
SHA512

16ca7b7636ce6ea989da678231e0487a4a4f782f92d127cad961d8e876a30d7451679a5117083ff5f3075cdef2632b72aba5eec440460bb8b7d203d61f94a92f
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVCMu7iMmFJIU1:RF8QUitE4iLqaPWGnEvgM7ME

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe

Renames multiple (227) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipBand.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\lt.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\zh-tw.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\ShapeCollector.exe.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Small_News.jpg.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\ne.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\wab32res.dll.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\ko.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\Ole DB\es-ES\sqlxmlx.rll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\AssertMerge.wax.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\System\msadc\msadco.dll.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui.tmp	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\RTFClassName	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\RTFClassName\ = "WrdPrfctDos"	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\RTFClassName\WrdPrfctDos	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1256	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
Token: SeIncBasePriorityPrivilege	1256	3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe

C:\Users\Admin\AppData\Local\Temp\3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe
"C:\Users\Admin\AppData\Local\Temp\3f775c6f5bf0d483ffb26584b713430399f8385551368575b58df4d9432a600c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp

Filesize
3.1MB

MD5
229f0726b1ee307cd04ff51f80f3b229

SHA1
60098f8cfd33fc65336459bf6733b6f37ba38bf7

SHA256
653da074044ac6c13d0a2cd95f05d3ffac473b6940ded84575c207f2e1973bfa

SHA512
3676224ae33e3eec759a471fe3d9e1777c9cd8b1af1dcd57842a139daa198bed6847e83bd4b6adfbbeb7b275c23146313bb567aa08d426dd9e3a5ac5cfedd596

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
3.1MB

MD5
1ae8ffb59024132890ce10148510ac8e

SHA1
61d9186af73bd2a947bcbe4a12484fbde29c5fb0

SHA256
6d99da53e3584e337dca8eb4273090a189f2cfa56cd8ba29faecbacaf45fbf79

SHA512
a5ae58cc9e5f7a9faacea4cb5301d59c5d398e43964dd08d1debc45f187bc59cabd1565c2d08d42e737f8960d077ca39c40d79d7a1c11c65b4137e71f0768cb6

Download Submit
memory/1256-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1256-1-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-8-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1256-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1256-13-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-25-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/1256-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1256-45-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads