banload | 933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 00:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Size

3.7MB
MD5

a6abe2caa61d5319f6deeba2d78a5660
SHA1

5c8a4e46ec488d929f5b0b642e93346ba33e3863
SHA256

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8
SHA512

4b851c68dce5e032ecdccd2c8c3d0bf26086173ddf3afac67bd6c6fbc990af46d6e2a5b3b4e40779d9b1a1d96bb53e2f4683f1ddc4deef32e0742061ccd70856
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvVCUkULRSOE2U:RF8QUitE4iLqaPWGnEvcUkUtSOEN

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

Renames multiple (198) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

Drops file in Program Files directory 64 IoCs

Processes:

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\tipresx.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ku.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mshwLatin.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IPSEventLogMsg.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mraut.dll.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipTsf.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ka.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ug.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\tipresx.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tabskb.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipTsf.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\sq.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\ShapeCollector.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\oskmenubase.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipTsf.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InputPersonalization.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\cs.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\eo.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\Microsoft.Ink.dll.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mshwjpn.dll.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ky.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkWatson.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\hwrespsh.dat.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\tipresx.dll.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\ShapeCollector.exe.mui.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

Modifies registry class 18 IoCs

Processes:

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ToolboxBitmap32	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ActiveMovieControl Object"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\wmpdxm.dll"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "AMOVIE.ActiveMovieControl.2"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{05589fa0-c356-11ce-bf01-00aa0055595a}"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1\ = "131473"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "2.0"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "AMOVIE.ActiveMovieControl"	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

description	pid	Process
Token: 33	2372	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
Token: SeIncBasePriorityPrivilege	2372	933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe

C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp

Filesize
3.8MB

MD5
15b498c6ecc869d93747e50baeacb8a1

SHA1
6a50263dff1cfb9590f41ba5fc4cc778c94d3e33

SHA256
308d2265f08d790acc874cb5a60e14d6f46c74b89b74f137dbc72689c264ddea

SHA512
290fe5ad7a8d991701b76acf06444d6fc78171ecd941d0de53b2eb3b53552cb77066a0d420ff5c301902a6e18d9df14cb19b562c247ad3c20a160fbc13ec07c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

Filesize
3.8MB

MD5
bfce0c45ea645ab7ed2b81883e47c0a1

SHA1
8967422f4d8b377c9ba3f69c430298bd5308bab1

SHA256
a3e323eda5da26216d52b136a665869572ec7732c6e81b6684d59215de5e3ba5

SHA512
405ef44e8721866d57a524159e7fb18dcbc8510052446798cb7124552847183a7b9577b44c8fd6b5021c57c90bc39d9f8845d80c6cfc897a4550f85c9b0b1fc1

Download Submit
memory/2372-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2372-1-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2372-8-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2372-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2372-11-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2372-13-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2372-25-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download
memory/2372-41-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/2372-47-0x00000000030F0000-0x00000000032FC000-memory.dmp

Filesize
2.0MB

Download