banload | 64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Size

3.9MB
MD5

d7fd4d232e6944306d7756dbb57d9f82
SHA1

4216e260ee2c9b683a6b886dd66b0f1b37ce2869
SHA256

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce
SHA512

97d00d3441ca2507a284f1886f5ea7f0b9a3d6b6863fe56ba6784e628d571ff2e681f1fc00bc52bb4e9005be2efc1d2ffcd7ba3a19e8f747023b14dd98ae785b
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV8u/kUHHklZ77Szh9ownI:RF8QUitE4iLqaPWGnEvS9Ejzh9oEI

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

Renames multiple (196) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

Drops file in Program Files directory 64 IoCs

Processes:

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\mip.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpnr.dll.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\sr-spc.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\ru.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\IpsMigrationPlugin.dll.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\7-zip.chm.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\id.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IpsMigrationPlugin.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcommonlm.dat.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\7z.dll.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\rtscom.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\gu.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

Modifies registry class 52 IoCs

Processes:

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\6	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\7	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "URL Shortcut PropSetStorage Mapping"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2\Key = "URL"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\10\Key = "WhatsNew"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\15\VarType = "11"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\5	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\7\Key = "ShowCommand"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\8	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\9\Key = "IconIndex"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\7\VarType = "3"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\8\VarType = "3"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\2	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\9\VarType = "3"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\CLSID = "{942bc614-676c-464e-b384-d3202aaa02da}"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\Section = "InternetShortcut"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\12	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\12\Key = "Desc"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\9	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\9	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\InitPropertyBag	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\11\Key = "Author"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\2	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\5\Key = "WorkingDirectory"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\6\Key = "HotKey"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\9\Key = "IconFile"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\13\Key = "HotKey"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\13\Key = "Comment"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\10	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\2\Key = "URL"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\8\Key = "IconIndex"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\13	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\13\VarType = "18"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\13	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\6\VarType = "18"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14\VarType = "66"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\14\Key = "IDList"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\15	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\15\Key = "Roamed"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\Section = "InternetShortcut"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{000214A0-0000-0000-C000-000000000046}\11	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\10	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Instance\PropertySetStorage\{5CBF2787-48CF-4208-B90E-EE5E5D420294}\10\Key = "IconFile"	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

description	pid	Process
Token: 33	1796	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
Token: SeIncBasePriorityPrivilege	1796	64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe

C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe
"C:\Users\Admin\AppData\Local\Temp\64a91cc3b0732399297e7afde52698d2e093d853dacace4503bd07f606c967ce.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

Filesize
4.0MB

MD5
60f5e8027708a08f55e58c4969fa8083

SHA1
bcb52a1e3218ccfefda661ffcd057657cdbefdf2

SHA256
7e8e141819ec8b1b6f8350aed8b840a983af2689d64248efd934e65cdd40057c

SHA512
64fee121c76dfc9eeb66c88b5ea60c3fc2733eb57237575f3545e75be0b6a57ea96ec315bd7480a91ee13d9275fdee81f6fa71618e8a1bd9917c60238eb644ce

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
4.1MB

MD5
fb012b9f5c1e749fcab90e329faa215e

SHA1
0fc9f2900f65e074d156ea4b1e1a055253119b17

SHA256
b73d31f61c7a8f858cdc6faa489f2e6ccb67e93b809ea32dd4e90042c2fd13b2

SHA512
c9daf0ac70a694da0fed1606d7a4afcc31f728aba8a974356cf88bf1614618f8ecdc24fc126e6016ceedceb29a72da0008a9569b79fad50adb1b0d797951ac37

Download Submit
memory/1796-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1796-1-0x00000000030C0000-0x00000000032CC000-memory.dmp

Filesize
2.0MB

Download
memory/1796-8-0x00000000030C0000-0x00000000032CC000-memory.dmp

Filesize
2.0MB

Download
memory/1796-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1796-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1796-13-0x00000000030C0000-0x00000000032CC000-memory.dmp

Filesize
2.0MB

Download
memory/1796-25-0x00000000030C0000-0x00000000032CC000-memory.dmp

Filesize
2.0MB

Download
memory/1796-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1796-45-0x00000000030C0000-0x00000000032CC000-memory.dmp

Filesize
2.0MB

Download