Analysis Overview
SHA256
f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748
Threat Level: Known bad
The file f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (212) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (498) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-03 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-03 19:45
Reported
2024-12-03 19:47
Platform
win7-20240729-en
Max time kernel
120s
Max time network
118s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Renames multiple (212) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\NaturalLanguage6.dll" | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe
"C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"
Network
Files
memory/2688-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2688-1-0x0000000003490000-0x000000000369C000-memory.dmp
memory/2688-8-0x0000000003490000-0x000000000369C000-memory.dmp
memory/2688-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2688-13-0x0000000003490000-0x000000000369C000-memory.dmp
memory/2688-11-0x0000000000400000-0x0000000000616000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp
| MD5 | 6e86b3b181c2bc1340cfba6f6bc26297 |
| SHA1 | 2749157f15cdee266a847f7fa76de7c8c68a27a6 |
| SHA256 | e8e91b343d384a062c79fa266d860fe95ddd7f96a81a97821d59d37da228a648 |
| SHA512 | b2ec3dc6a3dd07ce08b188be41bffe642356b18f33bc79fc2ad5d1a44cba2ae021422f829a4812e61af10bbaa8be1061105290f4c2319ec9845f555e54823264 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | a6d5bbf4ae957fe6f7e5a2d65f56b597 |
| SHA1 | cfdaf6a51d1bf1f5a5df582d82d8518a8a6c0012 |
| SHA256 | d5f017b9de88d91d75c882962b36cc80412d2c2d1156936a0787edfbeebbf620 |
| SHA512 | 105c9d7df4fe15087e998be6131de0cd0eac39e1ae73166fd32dab7d62e5bf33993a1530f15ea5a40d3fed4a5f94791821b9bdf3a784439d02efd975cb600ac3 |
memory/2688-25-0x0000000003490000-0x000000000369C000-memory.dmp
memory/2688-26-0x0000000003490000-0x000000000369C000-memory.dmp
memory/2688-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2688-47-0x0000000003490000-0x000000000369C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-03 19:45
Reported
2024-12-03 19:47
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Renames multiple (498) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%systemroot%\\SysWow64\\comuid.dll" | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe
"C:\Users\Admin\AppData\Local\Temp\f8c41a4e42a7f702cdc141e401ec34fc6c56ac3df11fcdc588a6ed3bef2ca748N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1964-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1964-2-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1964-9-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1964-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1964-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1964-14-0x0000000004960000-0x0000000004B6C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp
| MD5 | a485096c19d859e4f2a85af366082579 |
| SHA1 | 0f83b9aee6fd1bc833176305753fd2380573a6cc |
| SHA256 | c2439ffe7efcd6a62d103273b82d5f76bb3b5210ca8a8d63f3fa35adedc039c8 |
| SHA512 | aa28e77b59f7c1d535996645998df05c80dbc4e30d2d603ea8b96c18e524d33e67f92892c4d1ddabdebe7be47b801213edfcbd623648073ad8dda194a80b6186 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 5423de43c0c2a5ed8a2e9e6e0a2c6cff |
| SHA1 | 229fc01233a39a551327bacc18c5cb164790cca9 |
| SHA256 | 4523fd552baf0cfad2f65bd5865e054b34d3ddc1b79d052222814f90b336ff91 |
| SHA512 | 62d9264bafee47e0037f83c6340a1b4a1fb67a3b41537f915b1d718750f860040ad9ccdc7fff74453d37fdbb983ed785fdba20bb079917a778e7ce86077f0df2 |
memory/1964-48-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1964-49-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1964-128-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1964-144-0x0000000004960000-0x0000000004B6C000-memory.dmp