Overview

overview

10

Static

static

3

f9b433ba31...3N.exe

windows7-x64

10

f9b433ba31...3N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f9b433ba318ab698060d5fd501954b03413e148ec24b046ea78de3a22774d6f3N.exe

  • Size

    2.8MB

  • MD5

    bee59f0c7a37f46356664b993b29c700

  • SHA1

    eb702c3a42915c691652f115683a5fb2ff3981b9

  • SHA256

    f9b433ba318ab698060d5fd501954b03413e148ec24b046ea78de3a22774d6f3

  • SHA512

    6df706ddccea6c35e7b91c57e632dc84cd91cceb8efde2baa7813576305088026459209ebcf0a5c999b731ccf9a14ec520e6a425c43d5e75ab60eb6ba0391174

  • SSDEEP

    49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVzY+UOlk0l:RF8QUitE4iLqaPWGnEv3l

Score
10/10
banloaddiscoverydownloaderdropperevasionransomwaretrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Banload family
    banload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Renames multiple (602) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9b433ba318ab698060d5fd501954b03413e148ec24b046ea78de3a22774d6f3N.exe
    "C:\Users\Admin\AppData\Local\Temp\f9b433ba318ab698060d5fd501954b03413e148ec24b046ea78de3a22774d6f3N.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp
    Filesize

    2.9MB

    MD5

    b1261ba1d2e62838d10a866a4c66fa10

    SHA1

    a1c064d053d103cc56477c081f9e806bf77eb0bf

    SHA256

    da77ff5b44bd851696da9292636308b7a0a2ce71d1b72dc51579a8d57d13b39f

    SHA512

    348aefdf46461883d1e5085b9f87ca3ec72675da392de2478b3737f9367b110a77eb6f1375ce547161a5f36f9f6a888dbac6310fc4488748525e1d23d64ada23

    Download Submit

  • C:\Program Files\7-Zip\7-zip.dll.tmp
    Filesize

    3.0MB

    MD5

    95515c3015a8ee7634c5511d809592ae

    SHA1

    197c85c2360879e533bae130c80322b10985740d

    SHA256

    24ef758777dee03b44b3f73c66d4db9785d0dbebafc59f24c1673896c78cf77f

    SHA512

    77668639b67575f848659627253bee4d102340448e18e5d3780bf25567e539416bb395866e464f45951fe2c4a948311dbccd0eae44794b9c161337bf039f9d8f

    Download Submit

  • memory/1368-0-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1368-2-0x00000000047D0000-0x00000000049DC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-9-0x00000000047D0000-0x00000000049DC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-12-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1368-13-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1368-14-0x00000000047D0000-0x00000000049DC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-49-0x00000000047D0000-0x00000000049DC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-48-0x00000000047D0000-0x00000000049DC000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1368-138-0x0000000000400000-0x0000000000616000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1368-158-0x00000000047D0000-0x00000000049DC000-memory.dmp

    Filesize

    2.0MB

    Download