Analysis Overview
SHA256
2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8
Threat Level: Known bad
The file 2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (431) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (199) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-27 19:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 19:02
Reported
2024-11-27 19:04
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Renames multiple (199) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\wmcodecdspps.dll" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe
"C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe"
Network
Files
memory/2360-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2360-1-0x0000000002FF0000-0x00000000031FC000-memory.dmp
memory/2360-8-0x0000000002FF0000-0x00000000031FC000-memory.dmp
memory/2360-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2360-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2360-13-0x0000000002FF0000-0x00000000031FC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp
| MD5 | 5b929370e84ad20c2051f479520f5956 |
| SHA1 | f883b5f55ea4692e723be5269dbf2126a0803a65 |
| SHA256 | fb0d030c4d93328e3028f11b251ac9801e77e4ba1045701a7debc8f01420384f |
| SHA512 | c24c72adc4a15e7547e6425620379f852debdbe3bed2535a4b5cb0166f171f7fd758f9d12ea568d9d2c9675b173fe9e0f922f8d75f4ed72403d4633a79c022ba |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | a5da00043ab3c7d607db2d5652830e67 |
| SHA1 | 53ab41a22731a0d4c6b676ad3f6c0d243eff82fd |
| SHA256 | cb819e0d7dd30d047cb8cb9561d0ad7a02a776e8474f6f45dfa3c05597646d38 |
| SHA512 | 410339ecab0732538f4e24b7f34241c9b245b106ea017360b208065f8b7d8ae9285a365f6b3f500a329f6465477a30de61921e8c564c715c45de1ad8624c2cdc |
memory/2360-25-0x0000000002FF0000-0x00000000031FC000-memory.dmp
memory/2360-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2360-51-0x0000000002FF0000-0x00000000031FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 19:02
Reported
2024-11-27 19:04
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Renames multiple (431) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "XDS Feature Segment" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Programmable | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{B0EDF154-910A-11D2-B632-00C04F79498E}" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe
"C:\Users\Admin\AppData\Local\Temp\2e4ca2fa6ef7688d88dd12f476b60ab70cb4f3fbd7722b4862800b45cbd2b1e8N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2268-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2268-2-0x0000000004480000-0x000000000468C000-memory.dmp
memory/2268-9-0x0000000004480000-0x000000000468C000-memory.dmp
memory/2268-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2268-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2268-14-0x0000000004480000-0x000000000468C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp
| MD5 | 87dfa021de296e6349eb0bb89df571e2 |
| SHA1 | e1c281f0c18ac40c28427b445b769a59860fac8e |
| SHA256 | c50ea93e46f1ab7056f152f2d830efc998f1992ea65f443262101c7d65859e8c |
| SHA512 | e4a8dd88ba56c3062c127697d21c64d77669b2149e7336980770eceed0dbd99950260839f275dc91f3641db1d49da126f51769f1f74db6d7a8753b39ce3bae7f |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 513e5903480d82ae4cb5e86f5cd6161e |
| SHA1 | c62c2cb6815853df44c37994243e9ea397d7deea |
| SHA256 | ab0fd17f43471b0d001003e497bc57c73e8bad39226d6126a8472b3941db42df |
| SHA512 | 72cb6bea6fd14600d3000e14bb0aae60719166db3930255ec27dad2bb01aa22cc3aecd6a1943bbb7d4b15ee73d8ef33e0b59c82c119313855da9841b5e89a740 |
memory/2268-42-0x0000000004480000-0x000000000468C000-memory.dmp
memory/2268-43-0x0000000004480000-0x000000000468C000-memory.dmp
memory/2268-110-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2268-124-0x0000000004480000-0x000000000468C000-memory.dmp