Analysis Overview
SHA256
5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074
Threat Level: Known bad
The file 5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074 was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-13 01:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-13 01:47
Reported
2023-10-13 01:51
Platform
win7-20230831-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\VersionIndependentProgID\ = "BDATuner.ATSCChannelTuneRequest" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\TypeLib | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Version | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ = "BDA Tuning Model ATSC Channel Tune Request" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ProgID | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Programmable | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296} | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ProgID\ = "BDATuner.ATSCChannelTuneRequest.1" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\TypeLib\ = "{9B085638-018E-11D3-9D8E-00C04F72D980}" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe
"C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe"
Network
Files
memory/1196-0-0x0000000003490000-0x000000000369C000-memory.dmp
memory/1196-6-0x0000000003490000-0x000000000369C000-memory.dmp
memory/1196-7-0x0000000003490000-0x000000000369C000-memory.dmp
memory/1196-10-0x0000000000410000-0x000000000098A000-memory.dmp
memory/1196-12-0x0000000000410000-0x000000000098A000-memory.dmp
memory/1196-13-0x0000000000410000-0x000000000098A000-memory.dmp
memory/1196-15-0x0000000003490000-0x000000000369C000-memory.dmp
memory/1196-14-0x0000000000410000-0x000000000098A000-memory.dmp
memory/1196-16-0x0000000003490000-0x000000000369C000-memory.dmp
memory/1196-17-0x0000000003490000-0x000000000369C000-memory.dmp
memory/1196-18-0x0000000000410000-0x000000000098A000-memory.dmp
memory/1196-19-0x0000000003490000-0x000000000369C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-13 01:47
Reported
2023-10-13 01:52
Platform
win10v2004-20230915-en
Max time kernel
172s
Max time network
182s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296} | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\ = "PrintTaskConfigurationProxyServer" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InProcHandler32 | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5AB4218-6AEB-3A4D-0539-DC41F7595296}\InProcHandler32\ = "C:\\Windows\\SysWOW64\\Windows.Devices.Printers.Extensions.dll" | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe
"C:\Users\Admin\AppData\Local\Temp\5212838b796f041056856765aa173efbe61fdf10b6371f6516c0ec735d701074.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.111.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
Files
memory/4624-1-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-8-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-7-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-11-0x0000000000410000-0x000000000098A000-memory.dmp
memory/4624-13-0x0000000000410000-0x000000000098A000-memory.dmp
memory/4624-14-0x0000000000410000-0x000000000098A000-memory.dmp
memory/4624-15-0x0000000000410000-0x000000000098A000-memory.dmp
memory/4624-16-0x0000000000410000-0x000000000098A000-memory.dmp
memory/4624-17-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-18-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-19-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-20-0x0000000004D00000-0x0000000004F0C000-memory.dmp
memory/4624-21-0x0000000000410000-0x000000000098A000-memory.dmp