banload | f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Size

3.0MB
MD5

299d5f94d35d28ae98e5454a0bdca9a3
SHA1

db7c8111fe03133f118507f4beefcaedc058ae25
SHA256

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8
SHA512

224681a0028f25656dbc6c49feb564000f332da5bab64b65c6e1835698daff1c866b3d9aed3244fa784f91a2734e7aeeda878b7bf3869a2212a56597aba8319f
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV47RIgiBul:RF8QUitE4iLqaPWGnEvK7RZ

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Renames multiple (726) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Drops file in Program Files directory 64 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Requests.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Writer.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\ConvertHide.wmf.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\mscordbi.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-stdio-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Text.RegularExpressions.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\mn.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.OpenSsl.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Formats.Asn1.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\WindowsBase.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\msdaps.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\hostpolicy.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Core.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\pt-PT\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.Debug.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Microsoft.Ink.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Json.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\cy.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-private-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Timer.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebHeaderCollection.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\TipRes.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.HttpListener.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\th-TH\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lt-LT\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Configuration.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Handles.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ServiceProcess.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.Calendars.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
File created	C:\Program Files\dotnet\LICENSE.txt.tmp	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Modifies registry class 16 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "lnkfile"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\windows.storage.dll"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{00000003-0000-0000-C000-000000000046}	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Shortcut"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DisableProcessIsolation = "1"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\NoOplock = "1"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\OverrideFileSystemProperties	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\OverrideFileSystemProperties\System.Kind = "1"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\shellex\MayChangeDefaultMenu	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{00021401-0000-0000-C000-000000000046}"	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

description	pid	Process
Token: 33	1008	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
Token: SeIncBasePriorityPrivilege	1008	f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe

C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe
"C:\Users\Admin\AppData\Local\Temp\f3c7c3cba051c85937daa2cad72f59bf6b47b5b9c14cdb42057dbc8fda99e1a8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp

Filesize
3.1MB

MD5
38eaba0b1e911e207f6df44e7403d410

SHA1
61112f70d4ae3a0731cb7907cad64390a8b196af

SHA256
16695f3518e61621918c0a02317b5245167880940d857da1817eb13da85581a5

SHA512
7d58a9b76c4def07dcdd70fff178f4e87517d777a0628693db27d83aaf92c2848bbfa538e39ba3d047305fc6fc8fcc2dd305a59408ddd47b61a12b832f343702

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
3.2MB

MD5
2b3d40875c65783683ba819a4afbce21

SHA1
75e9fc673d455eeb75e70a70d9212e8854ceb98c

SHA256
ad7d3ba7de248fcb5edc49bb17b0b2ae7841cb0823f7fb5bbd6b58ce492e7741

SHA512
48d3def6009c925c90c3c40a88f1e0a8901121e0428e2c6641e390a1ea1e754fcc1a9bec5b232ba67f84218b4f79013b81099773b1e1e8bc45b6c74d39464644

Download Submit
memory/1008-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1008-2-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/1008-9-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/1008-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1008-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1008-14-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/1008-50-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/1008-51-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download
memory/1008-136-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/1008-154-0x0000000004970000-0x0000000004B7C000-memory.dmp

Filesize
2.0MB

Download