Overview
overview
10Static
static
1files/Setup.exe
windows7-x64
10files/Setup.exe
windows10-2004-x64
10files/acdbase.dll
windows7-x64
1files/acdbase.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/api-...-0.dll
windows10-2004-x64
1files/libmmd.dll
windows7-x64
1files/libmmd.dll
windows10-2004-x64
1files/vcru...40.dll
windows7-x64
1files/vcru...40.dll
windows10-2004-x64
1files/vcru...pp.dll
windows7-x64
1files/vcru...pp.dll
windows10-2004-x64
3files/x86/...1].exe
windows7-x64
1files/x86/...1].exe
windows10-2004-x64
1files/x86/...1].exe
windows7-x64
1files/x86/...1].exe
windows10-2004-x64
3files/x86/...1].exe
windows7-x64
1files/x86/...1].exe
windows10-2004-x64
1files/x86/...-1.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1files/x86/...-0.dll
windows10-2004-x64
1Analysis
-
max time kernel
55s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
files/Setup.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
files/Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
files/acdbase.dll
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
files/acdbase.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
files/api-ms-win-crt-convert-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral6
Sample
files/api-ms-win-crt-environment-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
files/api-ms-win-crt-heap-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral8
Sample
files/api-ms-win-crt-runtime-l1-1-0.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
files/api-ms-win-crt-stdio-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral10
Sample
files/api-ms-win-crt-string-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
files/api-ms-win-crt-time-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral12
Sample
files/api-ms-win-crt-utility-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral13
Sample
files/libmmd.dll
Resource
win7-20240611-en
Behavioral task
behavioral14
Sample
files/libmmd.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
files/vcruntime140.dll
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
files/vcruntime140.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
files/vcruntime140_app.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
files/vcruntime140_app.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
files/x86/HDHelper_[0MB]_[1].exe
Resource
win7-20240220-en
Behavioral task
behavioral20
Sample
files/x86/HDHelper_[0MB]_[1].exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
files/x86/NvStereoUtilityOGL_[1MB]_[1].exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
files/x86/NvStereoUtilityOGL_[1MB]_[1].exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
files/x86/VSLauncher_[0MB]_[1].exe
Resource
win7-20240611-en
Behavioral task
behavioral24
Sample
files/x86/VSLauncher_[0MB]_[1].exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
files/x86/api-ms-win-core-processthreads-l1-1-1.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral26
Sample
files/x86/api-ms-win-core-profile-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
files/x86/api-ms-win-core-rtlsupport-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
files/x86/api-ms-win-core-string-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral29
Sample
files/x86/api-ms-win-core-synch-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
files/x86/api-ms-win-core-synch-l1-2-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral31
Sample
files/x86/api-ms-win-core-sysinfo-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral32
Sample
files/x86/api-ms-win-core-timezone-l1-1-0.dll
Resource
win10v2004-20240611-en
General
-
Target
files/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 3528 set thread context of 4908 3528 Setup.exe more.com -
Executes dropped EXE 1 IoCs
Processes:
Setup.exepid process 3836 Setup.exe -
Loads dropped DLL 1 IoCs
Processes:
httpd.au3pid process 2148 httpd.au3 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4556 3836 WerFault.exe Setup.exe -
Modifies registry class 16 IoCs
Processes:
Setup.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\System.IsPinnedToNameSpaceTree = "1" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32 Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Instance\InitPropertyBag\Attributes = "17" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ShellFolder\FolderValueFlags = "40" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Instance\InitPropertyBag Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ShellFolder Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "OneDrive" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\SortOrderIndex = "66" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll" Setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ShellFolder\Attributes = "4034920525" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Instance Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exemore.compid process 3528 Setup.exe 3528 Setup.exe 4908 more.com 4908 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exemore.compid process 3528 Setup.exe 4908 more.com -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Setup.exemore.comdescription pid process target process PID 3528 wrote to memory of 3836 3528 Setup.exe Setup.exe PID 3528 wrote to memory of 3836 3528 Setup.exe Setup.exe PID 3528 wrote to memory of 3836 3528 Setup.exe Setup.exe PID 3528 wrote to memory of 4908 3528 Setup.exe more.com PID 3528 wrote to memory of 4908 3528 Setup.exe more.com PID 3528 wrote to memory of 4908 3528 Setup.exe more.com PID 3528 wrote to memory of 4908 3528 Setup.exe more.com PID 4908 wrote to memory of 2148 4908 more.com httpd.au3 PID 4908 wrote to memory of 2148 4908 more.com httpd.au3 PID 4908 wrote to memory of 2148 4908 more.com httpd.au3 PID 4908 wrote to memory of 2148 4908 more.com httpd.au3
Processes
-
C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\loadctrltb\XDXRHCSXQAVFOVUI\Setup.exeC:\Users\Admin\AppData\Roaming\loadctrltb\XDXRHCSXQAVFOVUI\Setup.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 8563⤵
- Program crash
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\httpd.au3C:\Users\Admin\AppData\Local\Temp\httpd.au33⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3836 -ip 38361⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ad9619cbFilesize
2.0MB
MD5b2a53c633b16fb961dced1185fbd7206
SHA1d9030251f735896043a991207662eeea9d6285c6
SHA2562596f45924573d28a42ff665b76d774d0cdea806d8a1a5d1aa1631fd91ecd8c6
SHA5122ca49d5ccc14a4f83a8d91d39a058c0b55a1da3c37a0a8b4929ce7f1e2f7b963ba3c9c039ac209dcfdf1da469c7fbdd32e50b1f927aa26f1b88df10683ad80b3
-
C:\Users\Admin\AppData\Local\Temp\httpd.au3Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Roaming\loadctrltb\XDXRHCSXQAVFOVUI\Setup.exeFilesize
111KB
MD59f262921a7fbd432c3a694a372caf1b9
SHA1dfd75a8835a5553d457f4f702c7fe5785227854f
SHA25656cff82b9e3ee0ed5e74a3e55115e96fd198598be26492cca7b15d9b9023a238
SHA512cabeaef6132444dc06e7a53332eb58446f7046069044c44b7a27693866a1d66aad7b3ebb5fe7bb79b780548a75b206528f176f5505c574b1c7ad3bcc6fc628b8
-
memory/2148-55-0x0000000000E70000-0x0000000000ECB000-memory.dmpFilesize
364KB
-
memory/2148-53-0x0000000000E70000-0x0000000000ECB000-memory.dmpFilesize
364KB
-
memory/2148-52-0x00007FF8B2D30000-0x00007FF8B2F25000-memory.dmpFilesize
2.0MB
-
memory/3528-17-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/3528-38-0x00007FF8A3B70000-0x00007FF8A3CE2000-memory.dmpFilesize
1.4MB
-
memory/3528-20-0x00007FF8A3B70000-0x00007FF8A3CE2000-memory.dmpFilesize
1.4MB
-
memory/3528-36-0x00007FF8A3B70000-0x00007FF8A3CE2000-memory.dmpFilesize
1.4MB
-
memory/3528-34-0x00007FF8A3B88000-0x00007FF8A3B89000-memory.dmpFilesize
4KB
-
memory/3528-37-0x00007FF8A3B70000-0x00007FF8A3CE2000-memory.dmpFilesize
1.4MB
-
memory/3528-15-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/3528-19-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/3528-42-0x00007FF8A3B70000-0x00007FF8A3CE2000-memory.dmpFilesize
1.4MB
-
memory/3528-0-0x0000000004030000-0x0000000004218000-memory.dmpFilesize
1.9MB
-
memory/3528-10-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/3528-12-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/3528-16-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/3528-14-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/4908-48-0x00000000751C0000-0x000000007533B000-memory.dmpFilesize
1.5MB
-
memory/4908-46-0x00007FF8B2D30000-0x00007FF8B2F25000-memory.dmpFilesize
2.0MB