Analysis Overview
SHA256
32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c
Threat Level: Known bad
The file 32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (200) files with added filename extension
Renames multiple (247) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 19:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 19:15
Reported
2024-12-03 19:17
Platform
win7-20240729-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Renames multiple (200) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "1,32,1" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0047005200410050004800460069006c00650073003e0050004e006b004f002900500077006b002500410078003d003300720045007000580049007300330000000000 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "MSGraph.Chart.8" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Chart" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Windows\\Installer\\{90140000-0011-0000-0000-0000000FF1CE}\\graph.ico,0" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.3" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Graph Chart" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046} | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "1,16,1" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GRAPH.EXE" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "1" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Typelib\ = "{00020802-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "1,1,1" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Graph Chart" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "GBiff5,MSGraph" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "MSGraph.Chart" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readwritable\Main\ = "GBiff5" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "GBiff5" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe
"C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe"
Network
Files
memory/2904-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2904-1-0x00000000035E0000-0x00000000037EC000-memory.dmp
memory/2904-8-0x00000000035E0000-0x00000000037EC000-memory.dmp
memory/2904-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2904-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2904-13-0x00000000035E0000-0x00000000037EC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp
| MD5 | 457743cb4c42e014a835a0c40d021aa5 |
| SHA1 | 7a0dc2924bc837eb06338233e2e8dfd42ff676a7 |
| SHA256 | f751940751a8bebcc52f408908425784d36fda0b3e839f8d9818565a629b0622 |
| SHA512 | 51679c980b792f5a47fd57349bb503ad5e90bb97ed560bb13267e13f827241eeb5b01be1527c33f625e211a22b8b541a769b0113abf1d2348d8272fd277e7ce4 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 716af9d36928f24d10876bb1339c326e |
| SHA1 | 3cf69e0574a9a446311422d33ac96a4215cd9b67 |
| SHA256 | 68042a4156bfd07f0517d9bf2cd84ae31c479de67c943e9429628bd4e9761d0c |
| SHA512 | d05e0b64b6c1e0a911b4679140c3df950a7d05382643ddc5a8434bc543ddd11c74cedf33e7ef6b3d1ad488c69ae00faf78f4f38a8f0de53add66b55198ad308c |
memory/2904-25-0x00000000035E0000-0x00000000037EC000-memory.dmp
memory/2904-37-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2904-43-0x00000000035E0000-0x00000000037EC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 19:15
Reported
2024-12-03 19:17
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
94s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Renames multiple (247) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.LegacyDataCollectorSet.1" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "LegacyDataCollectorSet" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.LegacyDataCollectorSet" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe
"C:\Users\Admin\AppData\Local\Temp\32caaae8a86016f7243ec2944460057d5bd5cfbb78b3ba93e25a798ff8a7198c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2364-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2364-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/2364-8-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/2364-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2364-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2364-13-0x00000000048F0000-0x0000000004AFC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | 3d13719855758a947f8a38c798b36fc3 |
| SHA1 | 55bd1525f712b2af32d26c7170604135a29dc9df |
| SHA256 | a25b3c129b130c5a8c4bc70dcd83965df5be7b5d89d6bc4ba29516a26c42a340 |
| SHA512 | a1ea8d512c0568006319ff2e781dbb7ae0d84e5052b54042f3c43e0c482f2fa6cc72ee57ca10c9ae9dc7b003e8baa0bbcbed1ba94ac1d6bacde7aba76d76f8f7 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 1f652eac2adfb192e0d838e8ea9c193f |
| SHA1 | cd6e42747dbf8bfa8aa32c02cb734350723b92bf |
| SHA256 | 24a50802e0ce0bcf3e7790341718ea88f0177fe2debfb6316a0f22a9c4e4ad78 |
| SHA512 | 77814d7ae4689e0bb936377c9700a4f5cada23d45b0f2475e7ccfafa38100c48279e284d8c18f5cff0b29f8beed88450072402799e89631ca1298038e305c89e |
memory/2364-34-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/2364-33-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/2364-85-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2364-95-0x00000000048F0000-0x0000000004AFC000-memory.dmp