Analysis Overview
SHA256
3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a
Threat Level: Known bad
The file 3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (436) files with added filename extension
Renames multiple (195) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-02 21:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-02 21:43
Reported
2024-12-02 21:45
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Renames multiple (195) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\PEOPLE~1.DLL" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "MsoPeopleDataHandler.PeopleDataProvider.1" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "MsoPeopleDataHandler.PeopleDataProvider" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe
"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"
Network
Files
memory/2332-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2332-1-0x0000000003040000-0x000000000324C000-memory.dmp
memory/2332-8-0x0000000003040000-0x000000000324C000-memory.dmp
memory/2332-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2332-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2332-13-0x0000000003040000-0x000000000324C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini.tmp
| MD5 | a0653a79cf90944b67f283d6fd7d1755 |
| SHA1 | d07a1ad427aac065b3d249f763ef4aa436f73306 |
| SHA256 | 59b64158eafb95b5fc7c29b00612f719489e44bdc03064bd71cce89640f82aa3 |
| SHA512 | f8c3c42bae2ec3513b1fb5f8ff36bbf2e673d8049f84eed1bf9f6953b1a3086470ef5e1591fb8682c1d84009a836a46e6b8c5565f6696b7a2fa5a0777e2dbd9b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 9e2ef83a450a4fff55826d7d4a2f7382 |
| SHA1 | 70b8e7a145da9b1decb4b5e5c6997fbced57b723 |
| SHA256 | 5b2864caf9c6cb6bca6266a6732415859b94502086433e025ceb9b92947f067e |
| SHA512 | 7c7f4de4c361048f3a7c60ca33dfdc680ad6dee1aeae1d3fc42d0bb60229f3f2469e4383db28bfbf953e7969472da33387a96a9734d0296e4aa7f7e16dc4fece |
memory/2332-25-0x0000000003040000-0x000000000324C000-memory.dmp
memory/2332-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2332-45-0x0000000003040000-0x000000000324C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-02 21:43
Reported
2024-12-02 21:45
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
100s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Renames multiple (436) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "&Address" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MenuTextPUI = "@explorerframe.dll,-13137" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{00021492-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\explorerframe.dll" | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe
"C:\Users\Admin\AppData\Local\Temp\3b5addc5465d40c7f5eaa80971f5bed86d66163de317eb1c8d9aa88679218b0a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/636-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/636-2-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/636-9-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/636-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/636-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/636-14-0x0000000004980000-0x0000000004B8C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp
| MD5 | 19cd93d73475b17897c6357a36114ae3 |
| SHA1 | 05298a3c505a3fb1a863fe8eacc4d5ac9e4d48b4 |
| SHA256 | 9dee26500f27b39df676ba348f6d29564c86a39f21d65875e737e0760a4863d7 |
| SHA512 | 9b065d4c202f2be98d2229d871847e49d562803393535ecdc1b8a957f73d405661811ab47630ca28303faf49630f789c53f136ec1cdd6192fc6c9fd45108d49a |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 0ff1f7121d40188f1bb8125083cd82c6 |
| SHA1 | 660a6254b5db279bd8d6de84c6a9bb7725dae09a |
| SHA256 | 4faa7b81b40b4ee7d12134d03e39d5167f83ac12153b56f62cfbfbebde5e920a |
| SHA512 | b75955a8d759797eec8fe423e64d94485ce51e3f82043e6bbebc6b65f0fa87218ed9755995ebdfe0df836f4b496929d928806aaf9226177c579399257caf8145 |
memory/636-42-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/636-43-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/636-116-0x0000000000400000-0x0000000000616000-memory.dmp
memory/636-132-0x0000000004980000-0x0000000004B8C000-memory.dmp