banload | 5c920ce32149daf7ff105958394356d2e65e59408ba662ed12a27607c623f839

Analysis

max time kernel
103s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c920ce32149daf7ff105958394356d2e65e59408ba662ed12a27607c623f839.dll
Size

3.5MB
MD5

68cca8274a53918321b220e3b48251fe
SHA1

2e4a0dcd41818d5e63dbeeebca62458f0cf79342
SHA256

5c920ce32149daf7ff105958394356d2e65e59408ba662ed12a27607c623f839
SHA512

7f61bcd2aefd932b51db2996120e54ca7812f6041f27f73221565011f703550ae3936fe67ce6b3f54bcbe2612cf1e9d16cfc87e331ea5d5e97a58ea5da19a398
SSDEEP

49152:ZgoRTtP4NngsOcwTwKZYqcPEFLVZtmoVDn99c1/0VX69Ux4CO3OnepMIAmZea+:SOA+wq3hZkuDnu0VX69UeCOq8AmZeR

Score

10^/10

banload downloader dropper persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regsvr32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	regsvr32.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect.1\CLSID\ = "{20163201-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect\CurVer\ = "OneMindMap2016.Connect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\ = "IConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\AppID = "{20163201-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\ = "One Mind Map 2016 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib\ = "{20163202-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect\ = "Connect Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\ProgID\ = "OneMindMap2016.Connect.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\ = "IDialogMapOptions"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect.1\ = "Connect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5c920ce32149daf7ff105958394356d2e65e59408ba662ed12a27607c623f839.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\InprocServer32\ = "C:\\Windows\\System32\\srh.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\ = "IConnect"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\ = "Connect Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\VersionIndependentProgID\ = "OneMindMap2016.Connect"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\ = "IDialogMapOptions"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{20163202-AE2E-4A01-81A1-0F0BA89F8886}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\ = "NarratorExplorerWindow Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\TypeLib\ = "{20163202-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20163203-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib\ = "{20163202-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5615F8D1-3C4C-41F8-90B6-7AEBD02E6140}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5c920ce32149daf7ff105958394356d2e65e59408ba662ed12a27607c623f839.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OneMindMap2016.Connect\CLSID\ = "{20163201-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20163201-AE2E-4A01-81A1-0F0BA89F8886}\TypeLib\ = "{20163202-AE2E-4A01-81A1-0F0BA89F8886}"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2872	regsvr32.exe
Token: SeIncBasePriorityPrivilege	2872	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5c920ce32149daf7ff105958394356d2e65e59408ba662ed12a27607c623f839.dll
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2872-0-0x0000000002F00000-0x00000000030EA000-memory.dmp

Filesize
1.9MB

Download
memory/2872-10-0x0000000180000000-0x000000018061C000-memory.dmp

Filesize
6.1MB

Download
memory/2872-12-0x0000000180000000-0x000000018061C000-memory.dmp

Filesize
6.1MB

Download
memory/2872-13-0x0000000180000000-0x000000018061C000-memory.dmp

Filesize
6.1MB

Download
memory/2872-15-0x0000000180000000-0x000000018061C000-memory.dmp

Filesize
6.1MB

Download