Analysis Overview
SHA256
1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76
Threat Level: Known bad
The file 1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (218) files with added filename extension
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-04 02:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-04 02:57
Reported
2024-12-04 02:59
Platform
win7-20241010-en
Max time kernel
120s
Max time network
17s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Excel.WorkbookClass" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.WorkbookClass" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe
"C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe"
Network
Files
memory/3064-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3064-8-0x0000000002F40000-0x000000000314C000-memory.dmp
memory/3064-1-0x0000000002F40000-0x000000000314C000-memory.dmp
memory/3064-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3064-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3064-13-0x0000000002F40000-0x000000000314C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp
| MD5 | 88834e4aab48f004d3733a6a121eb9ac |
| SHA1 | e753228f6f6da487dadfe6e55773f23c2863b5dd |
| SHA256 | 7b35d9c98bef3d150bc19ecb325151f3ece96973e8ad6c6649e4273ffeae7364 |
| SHA512 | 545fd906aa67c04789f33ec9daee1c0477e35a5480755331c75ffc2d3d7249dc2ed27b72f99e52bbeced77253de1afa557679cae0c6c86a1564b0d5d8c00fd66 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | c4cdcec50c6802f07d1cc48ea72c4fa4 |
| SHA1 | 948e56cb841e0969c410cccd30a0afc7458e6055 |
| SHA256 | 239cf7e07cf77ca48e6b3939cbe44c18ddbd4d6defbc5fe0883972bc05b508ff |
| SHA512 | 6999e76c79600fe7d788c68b51a5b92759e47320764a3cd59bd9ab78b963ecbfadd9fe5f22fd90498710b24b1a6139d75545b18c79890d22a89437a1f22de8af |
memory/3064-26-0x0000000002F40000-0x000000000314C000-memory.dmp
memory/3064-25-0x0000000002F40000-0x000000000314C000-memory.dmp
memory/3064-37-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3064-43-0x0000000002F40000-0x000000000314C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-04 02:57
Reported
2024-12-04 02:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
101s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Renames multiple (218) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "MSIME.Japan.FEDict" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\IME\\IMEJP\\imjpapi.dll" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "MSIME.Japan.FEDict.15" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft IME (Japanese) IFEDict" | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe
"C:\Users\Admin\AppData\Local\Temp\1e4cafefe33f6cd6e70a4eeaa12e674457b586d995257b2d17f05addf1564b76N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/832-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/832-2-0x0000000004360000-0x000000000456C000-memory.dmp
memory/832-9-0x0000000004360000-0x000000000456C000-memory.dmp
memory/832-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/832-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/832-14-0x0000000004360000-0x000000000456C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini.tmp
| MD5 | ac03290f0a03dfd2c03646ae2c3d273b |
| SHA1 | f8745ff70c9921e2ac955437dabb9671074ed007 |
| SHA256 | 787123bcadefe47da0106ff5ab406e89c2766f90b5a0207cddc8f00fc54b64c4 |
| SHA512 | 8743c2b6055033e4ec85a52bcd696b7d3890ca7144aec767c45f192a3f74173fa207130d69c220fc863e165225756b86af2accb514150ab6544afa085cebfc7d |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 7005d159a5e832c8833b5ef9b228a802 |
| SHA1 | f5848814820144568d2e7cb806f9a1823715d49f |
| SHA256 | 7200a7a4ff313e1af0507f1212ce44d8afca90df115649ac0a4df18d4ea394c9 |
| SHA512 | a08579dc5ace6a29e39f76bd9ae0ac28149bad90c459f647135a64c2ddf6425ad849b546979d6118c280426809b299049580b2ef550d4987e54e0a2010f8449d |
memory/832-29-0x0000000004360000-0x000000000456C000-memory.dmp
memory/832-28-0x0000000004360000-0x000000000456C000-memory.dmp
memory/832-64-0x0000000000400000-0x0000000000616000-memory.dmp
memory/832-72-0x0000000004360000-0x000000000456C000-memory.dmp