Analysis Overview
SHA256
01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94
Threat Level: Known bad
The file 01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 22:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 22:52
Reported
2024-10-02 22:55
Platform
win7-20240903-en
Max time kernel
148s
Max time network
125s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\yfwfy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\yfwfy.exe" | C:\ProgramData\yfwfy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\yfwfy.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC} | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.OLEObjectClass" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Excel.OLEObjectClass" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2764 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
| PID 2764 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
| PID 2764 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
| PID 2764 wrote to memory of 2728 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe
"C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe"
C:\ProgramData\yfwfy.exe
"C:\ProgramData\yfwfy.exe"
Network
Files
memory/2764-0-0x0000000000400000-0x000000000069E000-memory.dmp
memory/2764-2-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2764-8-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2764-11-0x0000000000400000-0x000000000069E000-memory.dmp
memory/2764-13-0x0000000000400000-0x000000000069E000-memory.dmp
memory/2764-14-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2764-12-0x0000000000400000-0x000000000069E000-memory.dmp
memory/2764-16-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2764-15-0x00000000030A0000-0x00000000032AC000-memory.dmp
\ProgramData\yfwfy.exe
| MD5 | 185fcf13769319736d9783307db804c7 |
| SHA1 | 38b2cf70afebe2b9f791b958768e922904494743 |
| SHA256 | ef0981846d70079887547094e95d170137397ceab0ebf1b46e2f1945e1a5b771 |
| SHA512 | e2cc6d3a474f64ee490c6fc4b6b8325e9e588f0a00565334ee91b669ebef536aa657f865f3c3d3d01c70a735c4b0895683573f92c2154cb18eb0eeceb6a668c9 |
memory/2764-26-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2764-28-0x0000000000400000-0x000000000069E000-memory.dmp
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | 6f69f8db5bfe93af6af2529fb4d168d0 |
| SHA1 | 633e46ce9b641fac4c09b83fbb470895acf67885 |
| SHA256 | 64d2a64e120af1965c60964108a5b8b8c4a6a1139db5b07ad990e02a8038e99c |
| SHA512 | a6a899a9f7a448e220476e657e768d56494a01027c0170690faaefce5911c0e6fd916271c84224ffe2fb931ea7d20407ade9f8734a2b6fc076787bec3a504299 |
C:\MSOCache .exe
| MD5 | e222bd1421ab58b2a607efde835dfb5b |
| SHA1 | a1f2a0c20427daeb251277429959978475c96769 |
| SHA256 | f520143fa37ee2af4d029b83499ff0626318e2cac144804ecaada2033f8d29d8 |
| SHA512 | 6fdedc4ecf3978bc8eb48a4862bdf8b0657235a8bf54f19e74852dc355f2cb1df60d0fb051960c09602f3409957a6fad62da4ce00e0d4463e271ea9a5b8b4b3f |
memory/2728-41-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2728-55-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2728-120-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-02 22:52
Reported
2024-10-02 22:55
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\yfwfy.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\ProgramData\\yfwfy.exe" | C:\ProgramData\yfwfy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\yfwfy.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InProcServer32\ = "C:\\Windows\\SysWOW64\\Windows.System.Profile.SystemId.dll" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC} | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E39B48E3-27A2-832E-06B9-4EA889139DCC}\ = "Windows.System.Profile.SystemId" | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 212 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
| PID 212 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
| PID 212 wrote to memory of 5096 | N/A | C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe | C:\ProgramData\yfwfy.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe
"C:\Users\Admin\AppData\Local\Temp\01a888677b3451748982fca9cfc80d45b5f9ea851312aac42bb68f517ad32c94N.exe"
C:\ProgramData\yfwfy.exe
"C:\ProgramData\yfwfy.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/212-0-0x0000000000400000-0x000000000069E000-memory.dmp
memory/212-2-0x0000000004DA0000-0x0000000004FAC000-memory.dmp
memory/212-9-0x0000000004DA0000-0x0000000004FAC000-memory.dmp
memory/212-12-0x0000000000400000-0x000000000069E000-memory.dmp
memory/212-13-0x0000000000400000-0x000000000069E000-memory.dmp
memory/212-14-0x0000000000400000-0x000000000069E000-memory.dmp
memory/212-15-0x0000000004DA0000-0x0000000004FAC000-memory.dmp
memory/212-16-0x0000000004DA0000-0x0000000004FAC000-memory.dmp
memory/212-17-0x0000000004DA0000-0x0000000004FAC000-memory.dmp
C:\ProgramData\yfwfy.exe
| MD5 | 185fcf13769319736d9783307db804c7 |
| SHA1 | 38b2cf70afebe2b9f791b958768e922904494743 |
| SHA256 | ef0981846d70079887547094e95d170137397ceab0ebf1b46e2f1945e1a5b771 |
| SHA512 | e2cc6d3a474f64ee490c6fc4b6b8325e9e588f0a00565334ee91b669ebef536aa657f865f3c3d3d01c70a735c4b0895683573f92c2154cb18eb0eeceb6a668c9 |
C:\ProgramData\Saaaalamm\Mira.h
| MD5 | 6f69f8db5bfe93af6af2529fb4d168d0 |
| SHA1 | 633e46ce9b641fac4c09b83fbb470895acf67885 |
| SHA256 | 64d2a64e120af1965c60964108a5b8b8c4a6a1139db5b07ad990e02a8038e99c |
| SHA512 | a6a899a9f7a448e220476e657e768d56494a01027c0170690faaefce5911c0e6fd916271c84224ffe2fb931ea7d20407ade9f8734a2b6fc076787bec3a504299 |
memory/212-27-0x0000000000400000-0x000000000069E000-memory.dmp
memory/212-28-0x0000000004DA0000-0x0000000004FAC000-memory.dmp
C:\DDF.sys .exe
| MD5 | 50369a92ebb578c7c42128718f37fb6e |
| SHA1 | bc2bf27133a98311b8c33c68975729ce1cede0e7 |
| SHA256 | 45884ae0492d5723d0c65009a6843e1eb18f2a4b3b433ce67f4953708525a198 |
| SHA512 | dc3c206096e6a3d50e7cca72f4ca9e5f799bd9593bf99dfbf58c3c27214c59201bc3c946ee271c2454673118d4a6248a57908cc31409235c7cb4cb04eadb3b67 |
memory/5096-54-0x0000000000400000-0x0000000000448000-memory.dmp
memory/5096-125-0x0000000000400000-0x0000000000448000-memory.dmp