Analysis Overview
SHA256
932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd
Threat Level: Known bad
The file 932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd was found to be: Known bad.
Malicious Activity Summary
Banload
Checks BIOS information in registry
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 18:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 18:25
Reported
2024-08-11 18:28
Platform
win7-20240708-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Banload
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ = "%CommonProgramFiles%\\System\\ado\\msadox.dll" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID\ = "ADOX.Catalog.6.0" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ = "ADOX.Catalog.6.0" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\VersionIndependentProgID\ = "ADOX.Catalog.6.0" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63} | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe
"C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe"
Network
Files
memory/1788-0-0x0000000003130000-0x0000000003309000-memory.dmp
memory/1788-3-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/1788-7-0x0000000003130000-0x0000000003309000-memory.dmp
memory/1788-12-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/1788-13-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/1788-15-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/1788-16-0x00000000001E0000-0x0000000000200000-memory.dmp
memory/1788-17-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/1788-20-0x0000000003130000-0x0000000003309000-memory.dmp
memory/1788-19-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/1788-22-0x0000000003130000-0x0000000003309000-memory.dmp
memory/1788-25-0x0000000003130000-0x0000000003309000-memory.dmp
memory/1788-27-0x0000000000400000-0x0000000000A2B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 18:25
Reported
2024-08-11 18:28
Platform
win10v2004-20240802-en
Max time kernel
136s
Max time network
136s
Command Line
Signatures
Banload
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\Class = "dao.UserClass" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID\ = "DAO.User.36" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ = "DAO.User.36" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63}\ProgID | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{251F89F4-807B-1861-D9E5-1E017009BD63} | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe
"C:\Users\Admin\AppData\Local\Temp\932b803b498308d97782847fc00c6f54dfacc847aaf24ffb658064f3622994fd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/2104-0-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/2104-2-0x0000000003C50000-0x0000000003E29000-memory.dmp
memory/2104-8-0x0000000003C50000-0x0000000003E29000-memory.dmp
memory/2104-14-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/2104-17-0x0000000003BC0000-0x0000000003BE0000-memory.dmp
memory/2104-13-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/2104-16-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/2104-18-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/2104-20-0x0000000000400000-0x0000000000A2B000-memory.dmp
memory/2104-21-0x0000000003C50000-0x0000000003E29000-memory.dmp
memory/2104-23-0x0000000003C50000-0x0000000003E29000-memory.dmp
memory/2104-26-0x0000000003C50000-0x0000000003E29000-memory.dmp
memory/2104-27-0x0000000000400000-0x0000000000A2B000-memory.dmp