banload | f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Size

3.0MB
MD5

299d5f94d35d28ae98e5454a0bdca9a3
SHA1

db7c8111fe03133f118507f4beefcaedc058ae25
SHA256

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8
SHA512

224681a0028f25656dbc6c49feb564000f332da5bab64b65c6e1835698daff1c866b3d9aed3244fa784f91a2734e7aeeda878b7bf3869a2212a56597aba8319f
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV47RIgiBul:RF8QUitE4iLqaPWGnEvK7RZ

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Renames multiple (231) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Drops file in Program Files directory 64 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\msdaprst.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\CopyShow.odp.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tabskb.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipBand.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\ado\msado21.tlb.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\oledb32.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\ca.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipTsf.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusalm.dat.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\FlickLearningWizard.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\MSTTSLoc.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\msdaremr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msadcor.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\msadcfr.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\To_Do_List.emf.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\DVD Maker\en-US\WMM2CLIP.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\hu.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\tg.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\micaut.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\ado\adojavas.inc.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\mng2.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.jpg.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\DebugMerge.vdx.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\msinfo32.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkObj.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tiptsf.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Modifies registry class 18 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}\	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell\Open\Command	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell\Open\Command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE\""	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\PropertySheetHandlers	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder\Attributes = 72000000	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InfoTip = "Displays your e-mail, calendar, contacts, and other important personal information."	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE,7"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\MLSHEXT.DLL"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Shell\Open	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ShellFolder	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Outlook"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\PropertySheetHandlers\{00020D75-0000-0000-C000-000000000046}	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	pid	Process
Token: 33	2644	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Token: SeIncBasePriorityPrivilege	2644	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp

Filesize
3.1MB

MD5
410d0bb541855e91a4bc810285f4432a

SHA1
9c70380b591785f30615442f07d9773a0a431fb5

SHA256
502a473b2520969df2647e30e072b095177c15aea545fd16b2ebb989c69cebca

SHA512
df4f609a52cbb85a905ec8219c4ca21d0a2ae9461eaf5db5b6fb1b0ea8406d8e64a1bf7d66e153503ce029c83f2f9dd00408457ed1da033f3d94f7b054a2035c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
3.1MB

MD5
cd58e83722735223a7cbd84d407006c1

SHA1
bc1e28d5d69e60a679c20d754c17cb29ed65cf77

SHA256
f2706dac445fa6f6f50a394752928824f8ec473e4d7c2f9da6ac1e51deae7080

SHA512
f86a26fdaf84693e69dbfb0f597d12ff70a3d084f34f6f474b86162b59da1604be450eb7cc1602fb0957668fbba26280441b83f7f37d4015d73cb8356c880d9c

Download Submit
memory/2644-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2644-8-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-1-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2644-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2644-13-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-25-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2644-43-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2644-51-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download