Analysis Overview
SHA256
2427944ef51d4c628073b5db91d897ef4e42595603784a600e95041afb11582a
Threat Level: Known bad
The file 2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (176) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (219) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 18:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 18:37
Reported
2024-11-29 18:40
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Renames multiple (219) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\IME\\SHARED\\imedicapiccps.dll" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ImeDicAPIProxy" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
Files
memory/3208-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3208-2-0x0000000004970000-0x0000000004B7C000-memory.dmp
memory/3208-9-0x0000000004970000-0x0000000004B7C000-memory.dmp
memory/3208-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3208-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3208-14-0x0000000004970000-0x0000000004B7C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4050598569-1597076380-177084960-1000\desktop.ini.tmp
| MD5 | 7a2f84477d78ec3e69ad88e98ef281a4 |
| SHA1 | 30b9c93554926c2584f38327f7fb80aee258d5bd |
| SHA256 | 6a50fa5b3af1c324a5b59181010dca0790dc6b5f860c00fba63dabcc1721371e |
| SHA512 | 4949391ba27b46f2faf7119f2cabdde49c51268c6aa15a13acb12ef41e6027a4f51099910dc5a7809aac86f5eddf0ecda2089945eec07470d602c86dd3901c61 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 389027fbb5baa20c77ce1b6eb831cae1 |
| SHA1 | a74569f1da16b747f828ba984ef9085dca8f0312 |
| SHA256 | 92b593919ae4493c8acdc4a6b12503d36e71a457f3ca65febf77beeb976c7ebb |
| SHA512 | 094dfc4f4cb9050c552ad339252d62ce406ea191da6ccc3a283800f45e8d09ac166d492ed74596865712731c5f898b3edb8e5fdb3ef115b3ff05dab4324f231a |
memory/3208-23-0x0000000004970000-0x0000000004B7C000-memory.dmp
memory/3208-22-0x0000000004970000-0x0000000004B7C000-memory.dmp
memory/3208-40-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3208-44-0x0000000004970000-0x0000000004B7C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 18:37
Reported
2024-11-29 18:40
Platform
win7-20240903-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Renames multiple (176) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "FileSystem Object" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrrun.dll" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Scripting.FileSystemObject" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{420B2830-E718-11CF-893D-00A0C9054228}" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-29_947c1c8939c8f393224328d2e1d25947_hawkeye_hijackloader_jaff.exe"
Network
Files
memory/1352-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1352-1-0x0000000002F00000-0x000000000310C000-memory.dmp
memory/1352-7-0x0000000002F00000-0x000000000310C000-memory.dmp
memory/1352-10-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1352-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1352-12-0x0000000002F00000-0x000000000310C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
| MD5 | 51a823bad630b30c033df5a9c8376076 |
| SHA1 | dd931291c6f7edf80299729dad4be4a40c156559 |
| SHA256 | 65687caf0b3db7422a9b212fe7087ae609a694ae4188e6e8db33baabb7bf3406 |
| SHA512 | 75dd727ffc35a0d021e24eadebd3e9f5413b2acf0b6612e838ba67e29087baae61bf40185770bf8e738d1eacb512fab7cd86c5848456f354766781a31f08b0ed |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | e4fc90a76d0e2a20ba2a4c55ae6cea75 |
| SHA1 | 22ebd2661e06bc2dff23a74a39c92e3316d451db |
| SHA256 | dce9b7873f0b5c0b6733b61ac126d2f036ec476daec0f5a753ff9fd7b65a2582 |
| SHA512 | 3a002a14784cca99f0ea6b8dfe6a2584df5e0e6f81b356e36ea4634e057de8a27e18cf915c150514d46abc1a10b04c90b4607f61d9cc7a1e0da5e1390ec7fe14 |
memory/1352-20-0x0000000002F00000-0x000000000310C000-memory.dmp
memory/1352-32-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1352-34-0x0000000002F00000-0x000000000310C000-memory.dmp