Analysis Overview
SHA256
318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5
Threat Level: Known bad
The file 318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (196) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (219) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-02 19:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-02 19:03
Reported
2024-12-02 19:05
Platform
win7-20240903-en
Max time kernel
60s
Max time network
17s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Renames multiple (196) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FirewallAPI.dll" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{0CA545C6-37AD-4A6C-BF92-9F7610067EF5}" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@C:\\Windows\\SysWOW64\\FirewallControlPanel.dll,-12122" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\IconReference = "@C:\\Windows\\SysWOW64\\FirewallControlPanel.dll,-1" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "HNetCfg.FwOpenPort" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "HNetCfg.FwOpenPort" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe
"C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe"
Network
Files
memory/1292-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1292-8-0x00000000030E0000-0x00000000032EC000-memory.dmp
memory/1292-1-0x00000000030E0000-0x00000000032EC000-memory.dmp
memory/1292-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1292-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1292-13-0x00000000030E0000-0x00000000032EC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3533259084-2542256011-65585152-1000\desktop.ini.tmp
| MD5 | 54ac760c3bee2c7d0e4fdf42e30ce68d |
| SHA1 | 184c365fbdb72e65e03feeb2b16316d88b2d062e |
| SHA256 | 419dd1a32ee0da33f01af59f65baeefad231ff218bf34f5d362f7903f582620a |
| SHA512 | 5b3bf8c7588ab06419a7914928ed1e39b7f96012fc100935df82c029251a617dfde75bc800f0486f922db627ecf3021333e833b70207c6fe5aeef9f80298315f |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | bcae0c3fd0f13b8a3f34a76f59521e6f |
| SHA1 | 8a677b3102274fc836d88d74ad5db143a0e4c633 |
| SHA256 | a8ebda3e5408e90cbc13a8c98b43a13294c4db66948538e9b3a5850693c9e629 |
| SHA512 | a92b7b5d5f9ce1fc2c8ad01d541108a928559bd5eccc42f35662027f891d96c225a9bbf873b94cac0249802ca15a40071fcd703281d0c397375ef4c4d7bc2c04 |
memory/1292-26-0x00000000030E0000-0x00000000032EC000-memory.dmp
memory/1292-25-0x00000000030E0000-0x00000000032EC000-memory.dmp
memory/1292-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1292-51-0x00000000030E0000-0x00000000032EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-02 19:03
Reported
2024-12-02 19:05
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
35s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Renames multiple (219) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\NaturalLanguage6.dll" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe
"C:\Users\Admin\AppData\Local\Temp\318704f2842db93eeec2ec6a4803a1d03f16ff4303131b935dd2c3270afa56d5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/3028-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3028-2-0x00000000049C0000-0x0000000004BCC000-memory.dmp
memory/3028-9-0x00000000049C0000-0x0000000004BCC000-memory.dmp
memory/3028-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3028-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3028-14-0x00000000049C0000-0x0000000004BCC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | e0661b5083f5c06faeae772ebe7309f4 |
| SHA1 | a652f096e3f6049ab6168acbfb626b53eb13b74f |
| SHA256 | f80f0f698246b7a840b8747bae69ff5751ac3be2f2939be2958a9f6868b69ad0 |
| SHA512 | a5e29d176ee5ce8aec76e6f55e518237160e40120193455a1970dbe47dbdb4f94ab4e04088cd083e9606916c118a239b506089a9fdfe5412ffda54543e3fb3d7 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | c6257fa43859b947abce3082002588d1 |
| SHA1 | 8aab135751b4c3087b976460529095f743030011 |
| SHA256 | 5d0e7ab96f543db2211fb0cfd66baa42e77b70d5ee64adf7dbb35bc901f7474d |
| SHA512 | bf9a2f1b78477ca25def5edb3af92e280570c1850d3ea3c6d0ab0b6876fc02421d118ddcd4799fbd3a3693c426741f0d4859083161bd2de2a5445ec786080a9a |
memory/3028-42-0x00000000049C0000-0x0000000004BCC000-memory.dmp
memory/3028-43-0x00000000049C0000-0x0000000004BCC000-memory.dmp
memory/3028-122-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3028-138-0x00000000049C0000-0x0000000004BCC000-memory.dmp