Analysis Overview
SHA256
a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4
Threat Level: Known bad
The file a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (200) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (222) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-30 03:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-30 03:36
Reported
2024-11-30 03:38
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Renames multiple (222) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Server\ = "diasymreader.dll" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.50727\ = "2.0.50727" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.50727\ImplementedInThisVersion | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Server | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\4.0.30319\ = "4.0.30319" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "CorSymWriter_SxS" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\2.0.50727 | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\4.0.30319 | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\4.0.30319\ImplementedInThisVersion | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "NDP SymWriter" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe
"C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4460-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4460-2-0x00000000045B0000-0x00000000047BC000-memory.dmp
memory/4460-9-0x00000000045B0000-0x00000000047BC000-memory.dmp
memory/4460-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4460-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4460-14-0x00000000045B0000-0x00000000047BC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp
| MD5 | 91afe7f51f04d5a4798affa3a9bec71b |
| SHA1 | 2a351e1c98aead507f6b887756feba23c25aff5e |
| SHA256 | 68bf12abe1e3e38bb3ad5f4ca8473eaf1dc758a4412e227e6ddf3d48bd210348 |
| SHA512 | 389005574f36b444b7eb1061ee63004d2cc034c38a1c08ab8d23823c0142056f9855d04ca63f9aed6a3d0751f002404605fd654159b667c2e268752959893ccf |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 8afc9215f979ba0f2b4190e9ad83235b |
| SHA1 | 28bd20407aeee44ded305ada9522c1fcbe8a480d |
| SHA256 | 08fdb7cb0a2e8a1d66a1201253476cbfaa8b074125ad8935c99b1fa8e51573e1 |
| SHA512 | fa6ccf29d1eb961c458fe329adab301c9f0a511b649520fb280ed9889186c5da957b5895543a8109b488f91e317822555f06fbe0e5af2fdd82ead3f5a1cc611e |
memory/4460-30-0x00000000045B0000-0x00000000047BC000-memory.dmp
memory/4460-31-0x00000000045B0000-0x00000000047BC000-memory.dmp
memory/4460-68-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4460-78-0x00000000045B0000-0x00000000047BC000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-30 03:36
Reported
2024-11-30 03:38
Platform
win7-20241010-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Renames multiple (200) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%CommonProgramFiles(x86)%\\System\\ado\\msado15.dll" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "ADODB.Connection.6.0" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "ADODB.Connection" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ADODB.Connection" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe
"C:\Users\Admin\AppData\Local\Temp\a5512c5026d772810f72a56f716aef2425360216f042707090ccfc4e26e15ab4N.exe"
Network
Files
memory/2224-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2224-1-0x0000000003250000-0x000000000345C000-memory.dmp
memory/2224-8-0x0000000003250000-0x000000000345C000-memory.dmp
memory/2224-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2224-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2224-13-0x0000000003250000-0x000000000345C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp
| MD5 | a0c1df7bd73abaac0163543b18637c80 |
| SHA1 | d07d4cd12c1435c64ea4c2e9ea4b463ad6ef380c |
| SHA256 | 9722544c3ea8de09ba860843315a13125dd82a8449548c9ec89a8e026ad736f4 |
| SHA512 | f1b1ad75fe2de5e242f08d6ac79b73bd5ef9848885414cf03a0fb115111b49ea440f953244b10b4cee3f3ab37256f950e0903e620c723ba3c1436cfd85372813 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | a0517046b1202f12521c66edbd4de850 |
| SHA1 | e922b11cebc3a34ee53a40f374a8e4b347cfa55c |
| SHA256 | feb73cd2d67ecbd6659e16898c5999dee60325ed28c1a5202ef3a99abcfba18f |
| SHA512 | ce7d58f4fb15180c0f46bd6297a091975b90ccc29220699c159555d67123e72094c00980122cc16114bd3f9ef2eea0ebebd0ae492107a8cb25562c606c0d57d4 |
memory/2224-23-0x0000000003250000-0x000000000345C000-memory.dmp
memory/2224-35-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2224-41-0x0000000003250000-0x000000000345C000-memory.dmp