Analysis Overview
SHA256
933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8
Threat Level: Known bad
The file 933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (198) files with added filename extension
Renames multiple (452) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 00:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 00:56
Reported
2024-12-03 00:58
Platform
win7-20240903-en
Max time kernel
120s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ActiveMovieControl Object" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\wmpdxm.dll" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "AMOVIE.ActiveMovieControl.2" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{05589fa0-c356-11ce-bf01-00aa0055595a}" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\1\ = "131473" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "2.0" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "AMOVIE.ActiveMovieControl" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"
Network
Files
memory/2372-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2372-1-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2372-8-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2372-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2372-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2372-13-0x00000000030F0000-0x00000000032FC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4177215427-74451935-3209572229-1000\desktop.ini.tmp
| MD5 | 15b498c6ecc869d93747e50baeacb8a1 |
| SHA1 | 6a50263dff1cfb9590f41ba5fc4cc778c94d3e33 |
| SHA256 | 308d2265f08d790acc874cb5a60e14d6f46c74b89b74f137dbc72689c264ddea |
| SHA512 | 290fe5ad7a8d991701b76acf06444d6fc78171ecd941d0de53b2eb3b53552cb77066a0d420ff5c301902a6e18d9df14cb19b562c247ad3c20a160fbc13ec07c0 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | bfce0c45ea645ab7ed2b81883e47c0a1 |
| SHA1 | 8967422f4d8b377c9ba3f69c430298bd5308bab1 |
| SHA256 | a3e323eda5da26216d52b136a665869572ec7732c6e81b6684d59215de5e3ba5 |
| SHA512 | 405ef44e8721866d57a524159e7fb18dcbc8510052446798cb7124552847183a7b9577b44c8fd6b5021c57c90bc39d9f8845d80c6cfc897a4550f85c9b0b1fc1 |
memory/2372-25-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2372-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2372-47-0x00000000030F0000-0x00000000032FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 00:56
Reported
2024-12-03 00:58
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
93s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Renames multiple (452) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\SettingMonitor.dll" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Mouse Setting Change Publisher" | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe
"C:\Users\Admin\AppData\Local\Temp\933beff1452ab56fcabb856fe4d01b6f624a809004ebc0604e1ef8f4c1beafb8N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3112-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3112-2-0x00000000047D0000-0x00000000049DC000-memory.dmp
memory/3112-9-0x00000000047D0000-0x00000000049DC000-memory.dmp
memory/3112-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3112-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3112-14-0x00000000047D0000-0x00000000049DC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp
| MD5 | e19aece2670456e55b5b883bb719b0d2 |
| SHA1 | 96898898887af01d91bf1b2a06ea435a4c4b08c9 |
| SHA256 | a45b9ab524ed0b756f3022fe1e8cec7d61eec1a078e5d7eec22733bd178aaaa3 |
| SHA512 | 726c9f717faecfaa722f47230f306eb099c50bc78cfe8de5999ef78a6933e7a577a59318a52c7558b8923234217ecba1d0a13392648224b2fac328ceaf843cba |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 9808e25e8fa7c87d8adba45bef860b45 |
| SHA1 | 000327fd8ce02a427ba0efc2fa398eb489e94018 |
| SHA256 | 2ed11b5755f326ccf5dec30ab27a1b76d48e3a900f96c074b02e4043399dfa88 |
| SHA512 | 30daf62970021633fb52a811a1b75b666eec3a5da64f90412b55f0a8c7474fee3cefb10bca865263bcea880a9d8cf05b4a205379d205311b30265bd111804e94 |
memory/3112-45-0x00000000047D0000-0x00000000049DC000-memory.dmp
memory/3112-44-0x00000000047D0000-0x00000000049DC000-memory.dmp
memory/3112-118-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3112-134-0x00000000047D0000-0x00000000049DC000-memory.dmp