Analysis Overview
SHA256
6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f
Threat Level: Known bad
The file 6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Enumerates connected drives
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 00:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 00:03
Reported
2024-08-19 00:06
Platform
win7-20240704-en
Max time kernel
141s
Max time network
120s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID\ = "Icad.ViewerDrawing" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7} | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ = "Visio Viewer CAD Drawing" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\VVIEWDWG.DLL" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1488 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1488 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1488 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1488 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe
"C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1320
Network
Files
memory/1488-0-0x0000000003220000-0x0000000003420000-memory.dmp
memory/1488-6-0x0000000003220000-0x0000000003420000-memory.dmp
memory/1488-7-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-11-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-10-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-14-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-13-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-15-0x0000000003810000-0x0000000003830000-memory.dmp
memory/1488-19-0x0000000003220000-0x0000000003420000-memory.dmp
memory/1488-18-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-16-0x0000000000400000-0x000000000147B000-memory.dmp
memory/1488-28-0x0000000003220000-0x0000000003420000-memory.dmp
memory/1488-29-0x0000000003220000-0x0000000003420000-memory.dmp
memory/1488-30-0x0000000000400000-0x000000000147B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 00:03
Reported
2024-08-19 00:06
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
141s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Enumerates connected drives
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\TypeLib | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\VersionIndependentProgID\ = "SppComApi.TokenActivation" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ = "TokenActivation Class" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sppcomapi.dll" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ThreadingModel = "Free" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\TypeLib\ = "{B0C2A63F-AFF8-40E3-B42D-8A542DC909EC}" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7} | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\AppID = "{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B}" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ProgID\ = "SppComApi.TokenActivation.1" | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe
"C:\Users\Admin\AppData\Local\Temp\6938783c7097cee4abe419f9344110ab2420bcdc266893c4bf268664ddb61d0f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2104 -ip 2104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1736
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/2104-1-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-3-0x00000000036D0000-0x00000000038D0000-memory.dmp
memory/2104-8-0x00000000036D0000-0x00000000038D0000-memory.dmp
memory/2104-11-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-14-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-13-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-16-0x0000000003DD0000-0x0000000003DF0000-memory.dmp
memory/2104-15-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-20-0x00000000036D0000-0x00000000038D0000-memory.dmp
memory/2104-17-0x0000000000400000-0x000000000147B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Itsth\Easy2Sync_for_Outlook\logfile.txt
| MD5 | 27d2933c90fbdafea6bf93e7e2a79402 |
| SHA1 | 9c9a25919a4d0bd99b85184d14f25bf5f2ad8e16 |
| SHA256 | 38f244c4fbecebf351f06d564d7f66cefd71c2aa31de4547cded3725055bc522 |
| SHA512 | bb5ef34b96319a1419a58b8863b0e48e9cc0ea74d68e143f7ffa5931b544a1fc61e58bcaba56fe00167e3a2ee86119c9d8d6be506af5aa3cbf2c0f3281dda1f7 |
memory/2104-19-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-42-0x00000000036D0000-0x00000000038D0000-memory.dmp
memory/2104-41-0x00000000036D0000-0x00000000038D0000-memory.dmp
memory/2104-44-0x0000000000400000-0x000000000147B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Itsth\Easy2Sync_for_Outlook\logfile.txt
| MD5 | babda7708f686c5691f065c9b42e489c |
| SHA1 | 9fe86bfd4b0c4ecac730986771fe8959e2e4a929 |
| SHA256 | cc7ef5a9c8247f14cb99eab368b8e2c30dfa30f06ba95b28835817681dd23e67 |
| SHA512 | bc3f800241ecbe6890631cfa91c2350b51ecc8c9ddde027fba2f4a122c3f2b6fdaaba1495fc06faa93df5879be03c0dac4bacd1469e02cde7caa6a4925ba9d35 |
memory/2104-53-0x0000000000400000-0x000000000147B000-memory.dmp
memory/2104-54-0x00000000036D0000-0x00000000038D0000-memory.dmp
memory/2104-55-0x0000000000400000-0x000000000147B000-memory.dmp