Analysis Overview
SHA256
b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4
Threat Level: Known bad
The file b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (608) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (225) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-04 22:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 22:33
Reported
2024-12-04 22:35
Platform
win7-20240903-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Renames multiple (225) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "DataCollectorSet" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.DataCollectorSet" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.DataCollectorSet.1" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe
"C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe"
Network
Files
memory/2464-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2464-1-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2464-8-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2464-7-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2464-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2464-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2464-13-0x00000000030F0000-0x00000000032FC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
| MD5 | a6b740f22a2bf2dfd722035d082a8a80 |
| SHA1 | e3232158bf4690648178d49e4a544af3a8020011 |
| SHA256 | 6b6aa9c4602b4ad43bc810292b048c06cbe1a426b8b6eb8b59ac6fca4ca62c1e |
| SHA512 | b2d26a380dadcaa1a2c2616775db1b2081effccbd1c0ba40947bbf3916bd4c6d06f329b5999389cd2dd3170c8f7fea077fa21ca57cf2e0a6a18f137f70c55741 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 4aa57d4441beecd7c1819d7a182880f9 |
| SHA1 | d365abeb289b48922bb59408709cf747b24068b2 |
| SHA256 | 84b95cdbf8cc1e05fd7322239cc8032fc151261c0f0903decacc019c181e7f5e |
| SHA512 | ffa0e581bc34c0334cce54693366fb5385f1147e5f14198a634b17e16f64790ebb7db300c6d0b167aadeb1e12684b78e2d6a267f3c39ad90e7513f41467693a0 |
memory/2464-25-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/2464-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2464-53-0x00000000030F0000-0x00000000032FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 22:33
Reported
2024-12-04 22:35
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Renames multiple (608) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32 | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "C:\\Windows\\SysWOW64\\ole32.dll" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msi.dll" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId\ = "WindowsInstaller.Installer" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{000C1092-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Windows Installer" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe
"C:\Users\Admin\AppData\Local\Temp\b710286449c217ebd23fc7b0c0ba0030bf7184054dee48f3bf15b58bf41512a4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4812-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4812-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4812-9-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4812-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4812-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4812-14-0x00000000048F0000-0x0000000004AFC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp
| MD5 | 7f4c5cae1ae79d7ab59e3756e33dcd46 |
| SHA1 | e57a294c4d4df697e72ee1866f7d0824bc6033e6 |
| SHA256 | 80868c3d31448387c206c953bfc4a39d519b2c90d9a537d8232a4bb4be51904a |
| SHA512 | 8b3617294bdf1a10defc5d2bfd0b98d9bcdae378073f208a5f2e9b03cc591f9f7c2f332baa8ae0688ad439dad0c1008efd777abb49265eb5f10f5eec4c9df1cb |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | acf1bba7ea751fe536663ccaa187d20c |
| SHA1 | 8d7aed9c8cd00a5ae5005f71c03fd9a25ed271fc |
| SHA256 | 0f1041a0222f4af22c8e6e8a62378c7edf1c54f9d782db29476c284a8908b140 |
| SHA512 | 1443f06a522c033d620d742aef365dc658e8f5d97ada6690f18e38ce981426564b98ba1e9bfd7d49f96fb6aa61985f3c8857227df0250baf218cbb2ecd550ac2 |
memory/4812-56-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4812-57-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4812-152-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4812-170-0x00000000048F0000-0x0000000004AFC000-memory.dmp