banload | 51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af

General

Target

51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Size

2.2MB
MD5

9f859e77f2cae32a58260f900f5403d3
SHA1

35faeec65f7f85caeeaf6a13d13c134fc3570fe5
SHA256

51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af
SHA512

8a5b841bc2ed7d25edd054011cf64145baac4417d85325a83694582cc967614a4288fcbba8c976c032510b80e49feeb072509993450b03b4e62ac61f28921836
SSDEEP

49152:gpbRm4GPK/MTeGTE7eFvjfrwDkzd5oVDn99c1/0VX/Pv8qAmZea+:k1GS/UFrE4zXuDnu0VX/PbAmZeR

Score

10^/10

banload downloader dropper persistence privilege_escalation trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Modifies registry class 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\ProgID\ = "InternetExplorer.Application.1"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\VersionIndependentProgID	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\Programmable	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\TypeLib	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\TypeLib\ = "{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\VersionIndependentProgID\ = "InternetExplorer.Application"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\ = "Internet Explorer(Ver 1.0)"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\AppId = "{e4803a36-7232-4ac0-a6af-29d59ebcc303}"	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\LocalServer32	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\LocalServer32\ = "\"%ProgramFiles%\\Internet Explorer\\iexplore.exe\""	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5A2F027-403B-1B60-EF86-137E11749927}\ProgID	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4428	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
Token: SeIncBasePriorityPrivilege	4428	51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe

C:\Users\Admin\AppData\Local\Temp\51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe
"C:\Users\Admin\AppData\Local\Temp\51be2dc49d7d326c6592500265d7ee92dfebf9629bb36ef07ab3b18f8fb908af.exe"
1⤵
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Privilege Escalation

Event Triggered Execution

1

T1546

Component Object Model Hijacking

1

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4428-0-0x0000000002780000-0x000000000296A000-memory.dmp

Filesize
1.9MB

Download
memory/4428-7-0x0000000002780000-0x000000000296A000-memory.dmp

Filesize
1.9MB

Download
memory/4428-12-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download
memory/4428-13-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download
memory/4428-14-0x0000000002780000-0x000000000296A000-memory.dmp

Filesize
1.9MB

Download
memory/4428-16-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4428-17-0x0000000002780000-0x000000000296A000-memory.dmp

Filesize
1.9MB

Download
memory/4428-19-0x0000000140000000-0x00000001402C9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing