banload | 0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85

Analysis

max time kernel
140s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2025, 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Size

3.1MB
MD5

eea6be70d84d4668a4aac9739a4a0d7c
SHA1

56eb1a1354cd846632e4005e39a158b77726526b
SHA256

0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85
SHA512

b412531bed426c2fabda1a37120406e0b60cf54ed7328518e39926e481c2caede260fe2b614242a31a1088864e4d44050fa12412c91aa0fb2c0668bad9036c5c
SSDEEP

49152:OuWJCbWiFqRTN/qYthAstP768B1ECYJgkFRrma2sx05tE:OugCSie/TthAstD68B+5J/RrmAxStE

Score

10^/10

banload discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\TreatAs\ = "{00020906-0000-0000-C000-000000000046}"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\dXpedgjnzlup	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\acfgwxCowelz\ = "dPQWvGPQGfmoccno@_H\x7fEesq]foN"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\SrLyJkLX\ = "nTHKDgmYmKqsY]U@GlbNt\\"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\jdzhrGcchWnL\ = "s_\x7fSDWVOacav_Gu_JN^nzsRlaHUFR"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\SrLyJkLX	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gclmYjlIq\ = "}hQmaw\\mzp"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gclmYjlIq\ = "}hQmjB]`KT"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\ProgID	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\lJnwRqtQTj\ = "Ve\|IIjcD\|gH{yl\|SvgWtxA]qGnV"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\jdzhrGcchWnL	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\jdzhrGcchWnL\ = "eKc{lM\|KQDpjVB\\gOdI^~KXZet[V\\"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\otFpCqxm\ = "VdkcUqNFvOkBq[\\_@e"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\dXpedgjnzlup	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gclmYjlIq\ = "kD\x7f[RK\x7fPS\|"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\ = "Microsoft Word 6.0 - 7.0 Picture"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\SrLyJkLX\ = "V\x7f\x7fgWl\|gSbz`pQV]kShlPs"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\SrLyJkLX\ = "nTHKDgmYmKqsY]U@GlbNu\\"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE,1"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gesccaaFwa\ = "JpKSii~ivrNFR\\z[\\qgt}iz"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\otFpCqxm	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\acfgwxCowelz\ = "[Cz^hTKOtBCaCf]K\\r`HK{vOn_Wu"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\NotInsertable	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\SrLyJkLX	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\SrLyJkLX\ = "V\x7f\x7fgWl\|gSbz`pQV]kShlRs"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\lJnwRqtQTj	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\lJnwRqtQTj\ = "VkBDlqD\|OpkMujFmfwVtiJ\\eqtu"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\jdzhrGcchWnL	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\dXpedgjnzlup\ = "FNel~hEZPOhY`iMgZr\\MqqW_mw"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\DefaultIcon	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gclmYjlIq	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gclmYjlIq\ = "}hQmlvfE~l"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\otFpCqxm\ = "TnvPDgsfN{SLZ\\y]\x7fN"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\SrLyJkLX\ = "V\x7f\x7fgWl\|gSbz`pQV]kShlQs"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\TreatAs	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\lJnwRqtQTj	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gesccaaFwa	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gesccaaFwa\ = "[qrvMSUPL@KmU^dvM[r^cT_"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\SrLyJkLX\ = "nTHKDgmYmKqsY]U@GlbNw\\"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\acfgwxCowelz	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\NotInsertable\	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\acfgwxCowelz	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\acfgwxCowelz\ = "dPQWvGPQGfmoccno@_H\x7fEeCq]foN"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\dXpedgjnzlup\ = "_My^_mFxvrs]X{nbYsPsz@Zz}R"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\SrLyJkLX\ = "nTHKDgmYmKqsY]U@GlbNv\\"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gclmYjlIq\ = "kD\x7f[^BxgR@"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\otFpCqxm	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gclmYjlIq\ = "}hQmm~[Z{L"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\SrLyJkLX\ = "V\x7f\x7fgWl\|gSbz`pQV]kShlSs"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\AutoConvertTo	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gclmYjlIq	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\dXpedgjnzlup\ = "FNUl~hEZPOhY`iMgZr\\MqqW_mw"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gclmYjlIq\ = "kD\x7f[_JExW`"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\dXpedgjnzlup\ = "_MI^_mFxvss]X{nbYsPsz@Zz}R"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\gclmYjlIq\ = "kD\x7f[Y~~]bX"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\dXpedgjnzlup\ = "FNel~hEZPNhY`iMgZr\\MqqW_mw"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\ProgID\ = "Word.Picture.6"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\acfgwxCowelz\ = "[Cz^hTKOtBCaCf]K\\r`HK{FOn_Wu"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\AutoConvertTo\ = "{00020907-0000-0000-C000-000000000046}"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Key created	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000_Classes\{5006845C-D45A-13D1-B2E4-0060975B8649}\gesccaaFwa	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{06BDB322-E02C-53D9-8B4E-C2F75A86A123}\dXpedgjnzlup\ = "_MI^_mFxvrs]X{nbYsPsz@Zz}R"	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\TEMP:5006845C	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
File opened for modification	C:\ProgramData\TEMP:5006845C	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	116	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Token: SeIncBasePriorityPrivilege	116	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Token: 33	1164	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
Token: SeIncBasePriorityPrivilege	1164	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 1164	116	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe	94
PID 116 wrote to memory of 1164	116	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe	94
PID 116 wrote to memory of 1164	116	0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe	94

C:\Users\Admin\AppData\Local\Temp\0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
"C:\Users\Admin\AppData\Local\Temp\0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe
  "C:\Users\Admin\AppData\Local\Temp\0654e183ef58f3ab0f036690fe1a666eaef2387e622645dd8ca25cd1d19a7d85.exe"
  2⤵
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\085B818A496C028ED.Lic

Filesize
136B

MD5
d181abb0151ea7f5b037db37a3c6517e

SHA1
2880674a73eb06746c89cc7e9ebe95b67b5fd689

SHA256
62dcc9a28a09eaf78c03b9f7dd3d0b04688d5d6f529d998b60c382e2ee4f9159

SHA512
deeb6a33041275b5311aaa577a6827e68c6708ecca88b339ecdaec01026777591f0bb9fcc1f016052d32c6a7fa60e5fcbbc30e7f24542f2b652e3eb200040b8a

Download Submit
memory/116-2-0x0000000002B50000-0x0000000002D51000-memory.dmp

Filesize
2.0MB

Download
memory/116-8-0x0000000002B50000-0x0000000002D51000-memory.dmp

Filesize
2.0MB

Download
memory/116-14-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/116-13-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/116-17-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/116-15-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/116-18-0x0000000002B50000-0x0000000002D51000-memory.dmp

Filesize
2.0MB

Download
memory/116-16-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/116-20-0x0000000002B50000-0x0000000002D51000-memory.dmp

Filesize
2.0MB

Download
memory/116-0-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/116-44-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1164-28-0x0000000002C40000-0x0000000002E41000-memory.dmp

Filesize
2.0MB

Download
memory/1164-36-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1164-38-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1164-39-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1164-40-0x0000000002C40000-0x0000000002E41000-memory.dmp

Filesize
2.0MB

Download
memory/1164-37-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1164-35-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download
memory/1164-43-0x0000000002C40000-0x0000000002E41000-memory.dmp

Filesize
2.0MB

Download
memory/1164-22-0x0000000002C40000-0x0000000002E41000-memory.dmp

Filesize
2.0MB

Download
memory/1164-49-0x0000000000400000-0x00000000008B4000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads