banload | 5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e

General

Target

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Size

19.2MB
MD5

0e4924ada6cf54c65ad1e7452a002acc
SHA1

70de4a435716aefae28f646eb38cc1669dd96782
SHA256

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e
SHA512

3f98aaa9c234e359f8fa305058cf2dc0001417a985a44c0e72b0462bc5bbd45addf85acf0f670893a40591bc7aa8b8152c56e3f5d0909b2977066802eb476926
SSDEEP

393216:RaVxxnA/agezlwdj+KyN4+XBhu/rJwWhWfmxXwga+Zs3pbwMbcS8QBlZj/:Gx4afzKdj2LSrJwlmxXwga+u3pbJCilp

Score

10^/10

banload downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

N/A. 15 IoCs

N/A.

dropper

Processes:

resource	yara_rule
behavioral1/memory/1200-11-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-15-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-10-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-13-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-18-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-17-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-19-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-21-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-20-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-27-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-28-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-29-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-30-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-124-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html
behavioral1/memory/1200-129-0x0000000000400000-0x00000000048F1000-memory.dmp	dropper_html

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Modifies registry class 64 IoCs

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion\Readable\Main	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Printable	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\AuxUserType\3	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\3	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\LocalServer32	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Verb\1	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\IPersistStorageType = "2"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Verb\0\ = "&Edit,0,2"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\LocalServer\LocalServer = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\DefaultFile	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IBManager.Database	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\AuxUserType\2\ = "Macro-Enabled Worksheet"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\1	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Version	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\AuxUserType\2	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion\Readwritable	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\2	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion\Readable\Main\ = "ExcelML12,ExcelWorksheet,Biff12,ExcelODS12,Biff8"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion\Readwritable\Main	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\1\ = "2,1,16,1"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\OfficeCompliant	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion\Readable	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DocObject	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\MiscStatus	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\ProgID	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\ProgID\ = "Excel.SheetMacroEnabled.12"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DefaultExtension\ = ".xlsm, Excel Macro-Enabled Workbook (*.xlsm)"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\MiscStatus\ = "0"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DefaultExtension	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\AuxUserType\3\ = "Microsoft Excel Macro-Enabled 12"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\MainPartContentType = "application/vnd.ms-excel.sheet.macroEnabled.main+xml"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DefaultIcon	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Implemented Categories	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\InprocHandler32	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\ = "Microsoft Excel Macro-Enabled Worksheet"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Conversion\Readwritable\Main\ = "ExcelML12,Biff12,ExcelODS12,Biff8"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\2\ = "1,1,1,1"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\InprocHandler32\ = "ole32.dll"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\LocalServer	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\LocalServer\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Typelib\ = "{00020813-0000-0000-C000-000000000046}"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Verb\1\ = "&Open,0,2"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\AuxUserType	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\VersionIndependentProgID	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Verb\0	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\xlicons.exe,1"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\0	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DocObject\ = "16"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Insertable	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Typelib	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\DefaultFile\ = "ExcelML12"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\0\ = "3,1,32,1"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\3\ = "NotesDocInfo,1,1,1"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\4	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Verb	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\Version\ = "1.6"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB94BC87-0C5F-98A1-8BB6-715F27474639}\VersionIndependentProgID\ = "Excel.SheetMacroEnabled"	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description	pid	process
Token: 33	1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
Token: SeIncBasePriorityPrivilege	1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

pid process

1200 5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

pid	process
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe

description	pid	process	target process
PID 1200 wrote to memory of 2868	1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe	splwow64.exe
PID 1200 wrote to memory of 2868	1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe	splwow64.exe
PID 1200 wrote to memory of 2868	1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe	splwow64.exe
PID 1200 wrote to memory of 2868	1200	5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe	splwow64.exe

C:\Users\Admin\AppData\Local\Temp\5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe
"C:\Users\Admin\AppData\Local\Temp\5fc25a7484d832b7c60ff1bc9c3e844e9b2c0bdd98023ffc05e512edb4c6b86e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8E8C.mht

Filesize
50KB

MD5
9933b30e08473f20af0e0510293fc884

SHA1
e5c8f1c77a7493d10ebae224af998c96a132a206

SHA256
6bdb9e3af2d8c39ccb7a428dbfc059a63296987fe6b38081bf1e5202524086a7

SHA512
10c9160b1abd280f5986705b57408bfafe02fc463aaa07abb7ca6500ac691455221f41347031e306557a7d64cc0a1fc78b05d971ba70f20d710aa9463ad79085

Download Submit
memory/1200-22-0x0000000006840000-0x0000000006A40000-memory.dmp

Filesize
2.0MB

Download
memory/1200-11-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-23-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1200-15-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-10-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-13-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-18-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-17-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-20-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-0-0x0000000006840000-0x0000000006A40000-memory.dmp

Filesize
2.0MB

Download
memory/1200-129-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-7-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-19-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-26-0x0000000006840000-0x0000000006A40000-memory.dmp

Filesize
2.0MB

Download
memory/1200-27-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-28-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-29-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-30-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-6-0x0000000006840000-0x0000000006A40000-memory.dmp

Filesize
2.0MB

Download
memory/1200-123-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1200-124-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download
memory/1200-21-0x0000000000400000-0x00000000048F1000-memory.dmp

Filesize
68.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads