banload | d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1c

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Size

5.6MB
MD5

9b810439391c9c861fe0cfb439b36e50
SHA1

797fbe20d5d4ed7e2351c423ba17b9f3957654df
SHA256

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1c
SHA512

3b9d98600c4aa3b0e4bea6011a70c87d63b82789eafb0fea2f466410b5203a6b976e8832c82403f0167a5f5252254289f8164746731e9838c03c61ed0d7a0d8b
SSDEEP

98304:RF8QUitE4iLqaPWGnEv+OKQr8MAvFrpHv/kAZIlnHyLF06Sud19nEntkKl:RFQWEPnPBnEmOKIbGpPMAZcy3qyKl

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

Renames multiple (200) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

Drops file in Program Files directory 64 IoCs

Processes:

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\ClearSend.contact.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\it.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\gl.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipRes.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IpsMigrationPlugin.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\fr.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\uz.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\mip.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\tipresx.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\he.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\is.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\7z.sfx.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\ps.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\nl.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\sv.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\FlickLearningWizard.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\7-Zip\Lang\eu.txt.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml.tmp	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

Modifies registry class 64 IoCs

Processes:

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Excel.Chart.8"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Excel.ChartClass"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "Biff8,Biff5,ExcelChart"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension\ = ".xls, Excel Workbook (*.xls)"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "Biff8"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "2,1,16,1"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510000000000	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Excel Chart"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "NotesDocInfo,1,1,1"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "1"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "1,1,1,1"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject\ = "16"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.2"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\xlicons.exe,3"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Printable	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Excel.Chart"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main\ = "Biff8"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib\ = "{00020813-0000-0000-C000-000000000046}"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Excel 2003"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "3,1,32,1"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.ChartClass"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

description	pid	Process
Token: 33	2224	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
Token: SeIncBasePriorityPrivilege	2224	d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe

C:\Users\Admin\AppData\Local\Temp\d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe
"C:\Users\Admin\AppData\Local\Temp\d67e72a4ea3f613d54bff1272fcbcf8a4038783a15e83609e6c5839c6d37ba1cN.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

Filesize
5.7MB

MD5
fffe22e4c1a36c0359a8f928ec7ae244

SHA1
8003ab4f76aa463e75d6b8bab045b389502b8968

SHA256
becfaa1e2e6078aea916a53dc8481fb1c73926741ef6da6b085ffec9639d3b07

SHA512
d4d53978a122494fb0d07ad5a92a62fdcd342da49a2887c5aa36e124c5324d845c65c5462716af5fb716332afd39f3f928ea89d3e0d7fc6783d612b58e63d380

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
5.7MB

MD5
eb38ef34492853c5d0084c72e181f5c7

SHA1
2b42ad404ee73431cbad8222312a8d6e99145742

SHA256
5f0f00818cb1738278e828cd1932b83d81ea92533564811bce6f6c810ef08c87

SHA512
fdbf1985f42593fd81b76700e0d29724e2da7f274098f789391c143f9694522ac3abb52b515da8a2ca9255e3892a2c71ab52643b8516abbbfe2003c72fc58828

Download Submit
memory/2224-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2224-1-0x0000000003030000-0x000000000323C000-memory.dmp

Filesize
2.0MB

Download
memory/2224-7-0x0000000003030000-0x000000000323C000-memory.dmp

Filesize
2.0MB

Download
memory/2224-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2224-10-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2224-12-0x0000000003030000-0x000000000323C000-memory.dmp

Filesize
2.0MB

Download
memory/2224-24-0x0000000003030000-0x000000000323C000-memory.dmp

Filesize
2.0MB

Download
memory/2224-25-0x0000000003030000-0x000000000323C000-memory.dmp

Filesize
2.0MB

Download
memory/2224-36-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2224-42-0x0000000003030000-0x000000000323C000-memory.dmp

Filesize
2.0MB

Download