Analysis Overview
SHA256
facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3
Threat Level: Known bad
The file facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (324) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (195) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-28 02:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-28 02:56
Reported
2024-11-28 02:59
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Renames multiple (195) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Outlook Office Explorer" | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
"C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe"
Network
Files
memory/2132-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2132-1-0x0000000003110000-0x000000000331C000-memory.dmp
memory/2132-8-0x0000000003110000-0x000000000331C000-memory.dmp
memory/2132-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2132-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2132-13-0x0000000003110000-0x000000000331C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp
| MD5 | 66d940622275df189a63df31b984c0d2 |
| SHA1 | 82807e7a98d418d2cc2b0976d2fbda7dea0bc969 |
| SHA256 | 1875a63dc38d688b90765c031e3b39bdc609b56cbb18494c03a5fbcf2fa9f583 |
| SHA512 | 77b6bc91b30fbf11c8585ce1da8f83ccbbf9cfd3fd0d01bc8a71c8c5486fc7a729c133be5d2b1871037c64892dbb13bc07c08354f09fa6c478e83b6f38cf5b30 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 7a271af076acb1c627ac68eb9651d27d |
| SHA1 | 3f7ee775686858b87bfdc0757a0442323d9a6a76 |
| SHA256 | cf54edbd580668f3cdd7bbe9392d7f043c7298c86cf8ae598f97beeeabdb62b6 |
| SHA512 | 6c6e9cc661fb01205160ad329e3d5cef19fbd2d3c2e25b13fb668dd1d6ae701b05b597123c670c8bcc7735fba4607b552eb99d7af46d6f41519a7c444b4fec21 |
memory/2132-25-0x0000000003110000-0x000000000331C000-memory.dmp
memory/2132-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2132-45-0x0000000003110000-0x000000000331C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-28 02:56
Reported
2024-11-28 02:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Renames multiple (324) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "HidCapabilityHandler" | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\Windows.Devices.HumanInterfaceDevice.dll" | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe
"C:\Users\Admin\AppData\Local\Temp\facf59ac6b83890fe016a923d0f28c2463739fda63edae9ca72209348d2567b3N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4876-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4876-2-0x0000000004930000-0x0000000004B3C000-memory.dmp
memory/4876-9-0x0000000004930000-0x0000000004B3C000-memory.dmp
memory/4876-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4876-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4876-14-0x0000000004930000-0x0000000004B3C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp
| MD5 | 70e37cc54acda2b25240af5596b695ea |
| SHA1 | cfc5911ea68b89176ec1125c532be2fc814bf4b1 |
| SHA256 | c8f47a0dd5c16b066fad34587591b792c14cf885e4139b9e8201ebd2ee1885b1 |
| SHA512 | 70dc7a489ffc79ca5ba28f1b976004a3e7145aa79eb248681abc54fbd867a17410ced8e5b0489d3f5669d0350209019315ea9f7b209b7bfea97f95570c53423e |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 8ff146338551f4693d2962fbe739e4ab |
| SHA1 | 51e20da442f7f0eb099cf6d56d5d0be932de70b5 |
| SHA256 | 6dac5ed4ba6a35b0ca1e8d5ca3a3ce76a5ac5cc04020cd139ca7e26070806429 |
| SHA512 | 3ba46bfbdfdf9c59e5bb3f899c72c6a9b89eafaa2000d99d6e8eb15c85c0c2db317db5fba64d90733a7e3d10dbe69eb1a80971f7f171dc79ee5f12371d6462db |
memory/4876-38-0x0000000004930000-0x0000000004B3C000-memory.dmp
memory/4876-39-0x0000000004930000-0x0000000004B3C000-memory.dmp
memory/4876-100-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4876-112-0x0000000004930000-0x0000000004B3C000-memory.dmp