banload | ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Size

3.1MB
MD5

51689aa36665dae2c30193725ab9e3c0
SHA1

d9820f5f8ca72c7a887b6290d41596c1a30a79a0
SHA256

ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7
SHA512

5c8dee0fc069747b3781304888ab094b0db52b042ca847b0ead6177ad1141bb25036b9c6f0a92a701c8c788aea11cf3891f855ddcdc4f519146204ecff64e4f1
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV47RIgompnfMNJO:RF8QUitE4iLqaPWGnEvK7RCO

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe

Renames multiple (540) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\af.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\dicjp.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tabskb.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.ja-jp.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.InteropServices.RuntimeInformation.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XmlDocument.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\7-Zip\Lang\de.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrdeslm.dat.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-CN\tipresx.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Data.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tools.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\it-IT\TipRes.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-datetime-l1-1-0.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Tracing.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\System\ado\msadox.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledbjvs.inc.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\clrjit.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\uk-UA\tabskb.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOMessageProvider.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\System\msadc\msadds.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\hostfxr.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mraut.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\Crashpad\metadata.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Console.dll.tmp	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\iasnap.dll"	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Free"	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "IAS.PostEapRestrictions.1"	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "IAS.PostEapRestrictions"	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1952	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
Token: SeIncBasePriorityPrivilege	1952	ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe

C:\Users\Admin\AppData\Local\Temp\ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe
"C:\Users\Admin\AppData\Local\Temp\ad5abae92c52f988a942ad0c899d37e08bf289da54461e0772a2d02dc98665e7N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
3.2MB

MD5
f1272ea6b630365d72498ff60d86ccd4

SHA1
dcb2f5b0d14d4e07d93a1f7de862449114afcb4a

SHA256
1e3456275128b9e94c38a726f0e2b96bfbb3746fa438b916a7cfc3912e8149b2

SHA512
8e616e523988e1959a10e92dc29159c2c4eda41f8eead0caeba36fafd297c1a1fc7df72ac2968ec59c096db5f447cb054b96097b4ed76d8366ce488b64efb8e1

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
3.3MB

MD5
be786fa92dbf06e3b81a947358e9a9ec

SHA1
833cb0657586838481d0fcb24357f825e5149c02

SHA256
bf07c9b9be5a9146141627553ba0caf576eb151a3624fd8b0e079f3ef971267a

SHA512
cf0691931a5bacc2db1c425f3da946ee19ab72da22a9ead27f7ff37480c3d4e9ac37ae98cac7be957d7eb83e58e1e9cdf373a12dda5bc8b328264b238d2f2627

Download Submit
memory/1952-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1952-2-0x00000000049B0000-0x0000000004BBC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-9-0x00000000049B0000-0x0000000004BBC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1952-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1952-14-0x00000000049B0000-0x0000000004BBC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-46-0x00000000049B0000-0x0000000004BBC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-47-0x00000000049B0000-0x0000000004BBC000-memory.dmp

Filesize
2.0MB

Download
memory/1952-132-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1952-150-0x00000000049B0000-0x0000000004BBC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads