Analysis Overview
SHA256
c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5
Threat Level: Known bad
The file c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (226) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (708) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-01 03:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-01 03:03
Reported
2024-12-01 03:05
Platform
win7-20241023-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Renames multiple (226) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\SortOrderIndex = "66" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\System.PropList.DetailsPaneNullSelect = "prop:" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\System.PropList.DetailsPaneNullSelectTitle = "prop:System.FileCount" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\imageres.dll,-1023" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\command\DelegateExecute = "{c51b83e5-9edd-4250-b45a-da672ee3c70e}" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\QueryForOverlay | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "UsersLibraries" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\HideOnDesktopPerUser | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\MUIVerb = "@shell32.dll,-34645" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\PinToNameSpaceTree | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@%SystemRoot%\\system32\\shell32.dll,-50691" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\SeparatorBefore = "1" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\command | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\Description = "@shell32.dll,-34646" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shell\restorelibraries\SeparatorAfter = "1" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\Attributes = "2961178893" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe
"C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe"
Network
Files
memory/1980-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1980-1-0x0000000003260000-0x000000000346C000-memory.dmp
memory/1980-7-0x0000000003260000-0x000000000346C000-memory.dmp
memory/1980-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1980-12-0x0000000003260000-0x000000000346C000-memory.dmp
memory/1980-10-0x0000000000400000-0x0000000000616000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1163522206-1469769407-485553996-1000\desktop.ini.tmp
| MD5 | e46db7d5c037a7e7c9ae48a8abf2fa9e |
| SHA1 | f6b577d8ffc78a8b6c230dc0361af8c897ba196e |
| SHA256 | b6998a12a5ead7f3e7fb3dcb89a1968ae26c02a9bdca83ef58cb93afbb9ed77e |
| SHA512 | aaa6f989ca982d890b49f067cde7d09017a14cbea41b544104377e3d3f2f734be933e5d5ea2e5d146c5f19985e0d54464b51bdaae47131bbb397abea143ed019 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 376cdcbbfa6f5919268e37317e2ddb88 |
| SHA1 | d68e5872b8dd0f8c07062c84a077523cefafe36a |
| SHA256 | 1bffcf547e16e240df51d5d2b3bfc274fab4252be1ca6444ec52b479dc597268 |
| SHA512 | 82f223ff806e1726cfd87af6c6952b9f94411446e712ce62b07fbccc90fb37937fc7155854905814473562934ae82b5c4b407f2f959937f70c153a9b3fc1ae0f |
memory/1980-25-0x0000000003260000-0x000000000346C000-memory.dmp
memory/1980-24-0x0000000003260000-0x000000000346C000-memory.dmp
memory/1980-42-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1980-50-0x0000000003260000-0x000000000346C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-01 03:03
Reported
2024-12-01 03:05
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Renames multiple (708) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "IE Background Task Scheduler" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\ieframe.dll" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe
"C:\Users\Admin\AppData\Local\Temp\c425f189beca29673ce641512c9c6ee273f466cead0245467012f647987565d5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/2768-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2768-2-0x00000000049D0000-0x0000000004BDC000-memory.dmp
memory/2768-9-0x00000000049D0000-0x0000000004BDC000-memory.dmp
memory/2768-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2768-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2768-14-0x00000000049D0000-0x0000000004BDC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp
| MD5 | 75fcdff09eb9ed1dfabdc20072d2291a |
| SHA1 | 19d357b732a090657dc482cba2e89c8bfe9e7237 |
| SHA256 | 5fa59abde0d09b5a18b2e7abade587099ad7c1afc280b015e7820a445490923f |
| SHA512 | 6a088a300a17e2ed1c37618b430a83f6477ff1771b30fbbe5ab80850f1fe29867c0eca606bc172f36fba286e71274bb8cdf56b05a010210fd35a189a7a4ec3f1 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | c1642fa4681b7d2df8e6ccf46de0b747 |
| SHA1 | ccff13b5ceb09e885b1c369bcaa8008f681bbcce |
| SHA256 | 92624b86e56303fdf071882ac4f5848c8a6cd59e888749f0ee461315dbe44549 |
| SHA512 | 87a8d7626d9e67e768f03bf79ae0622dbc6bb236222d0953f1edf1bd9b96b7b7e7c80c01687a69a5d513ad733d4b5c34a2800f18b0d4aba8d090a472e45f14d7 |
memory/2768-46-0x00000000049D0000-0x0000000004BDC000-memory.dmp
memory/2768-47-0x00000000049D0000-0x0000000004BDC000-memory.dmp
memory/2768-130-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2768-150-0x00000000049D0000-0x0000000004BDC000-memory.dmp