banload | 51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18/03/2025, 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Size

2.2MB
MD5

9f859e77f2cae32a58260f900f5403d3
SHA1

35faeec65f7f85caeeaf6a13d13c134fc3570fe5
SHA256

51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af
SHA512

8a5b841bc2ed7d25edd054011cf64145baac4417d85325a83694582cc967614a4288fcbba8c976c032510b80e49feeb072509993450b03b4e62ac61f28921836
SSDEEP

49152:gpbRm4GPK/MTeGTE7eFvjfrwDkzd5oVDn99c1/0VX/Pv8qAmZea+:k1GS/UFrE4zXuDnu0VX/PbAmZeR

Score

10^/10

banload downloader dropper persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\ = "MIDI Renderer"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\InprocServer32	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\InprocServer32\ = "C:\\Windows\\system32\\quartz.dll"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\InprocServer32\ThreadingModel = "Both"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3012	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Token: SeIncBasePriorityPrivilege	3012	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe

C:\Users\Admin\AppData\Local\Temp\51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
"C:\Users\Admin\AppData\Local\Temp\51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3012-17-0x0000000002420000-0x000000000260A000-memory.dmp

Filesize
1.9MB

Download
memory/3012-16-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/3012-14-0x0000000002420000-0x000000000260A000-memory.dmp

Filesize
1.9MB

Download
memory/3012-13-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download
memory/3012-12-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download
memory/3012-7-0x0000000002420000-0x000000000260A000-memory.dmp

Filesize
1.9MB

Download
memory/3012-0-0x0000000002420000-0x000000000260A000-memory.dmp

Filesize
1.9MB

Download
memory/3012-19-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download