Analysis Overview
SHA256
8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69
Threat Level: Known bad
The file 8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (200) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (231) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-05 00:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-05 00:16
Reported
2024-12-05 00:19
Platform
win7-20240729-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Renames multiple (200) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{64818D10-4F9B-11CF-86EA-00AA00B929E8}" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PowerPoint.Show.4" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs\ = "{64818D10-4F9B-11CF-86EA-00AA00B929E8}" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe
"C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"
Network
Files
memory/2264-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2264-1-0x0000000003430000-0x000000000363C000-memory.dmp
memory/2264-8-0x0000000003430000-0x000000000363C000-memory.dmp
memory/2264-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2264-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2264-13-0x0000000003430000-0x000000000363C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini.tmp
| MD5 | a4056149a6949e7651f04132fd3b82b7 |
| SHA1 | f21637cfa95c0053c35885b0eb67cb68da07c433 |
| SHA256 | 0d2b272b1950b3921fe6cbb73cd898155b97fb34e0f6826499dfb46b561ffa3a |
| SHA512 | 30bdd25149eecd576c96cb62c0264d805ce5a96fe0cbe95a979ed4836e37d1a1779d063ac1dd71f62dba020e80e27e212ed344ec70f1c5f95d49bd5d48e71d7a |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 0138bbae4655d92c2515686868c1f901 |
| SHA1 | 8dfb965c1609e20683fa819319ae959e929ce128 |
| SHA256 | bb30e5f01a08142f07cafdf382c5138af756816eeea19f837aaf09cd27602a92 |
| SHA512 | 8bd9b0931faee8f09fdcd4d97d6464476d96117e170418ca0def108688b09035833d03d281232a15113d697181612dd089eda78704df305381b825ab84c1199e |
memory/2264-25-0x0000000003430000-0x000000000363C000-memory.dmp
memory/2264-35-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2264-41-0x0000000003430000-0x000000000363C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-05 00:16
Reported
2024-12-05 00:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Renames multiple (231) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalizedString = "@%systemroot%\\system32\\appwiz.cpl,-184" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\IconReference = "@%SystemRoot%\\system32\\appwiz.cpl,-1507" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\appwiz.cpl" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "ARP CBS Uninstaller Proxy" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{0da7bfdf-c0a0-44eb-be82-b7a82c4721de}" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Elevation\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe
"C:\Users\Admin\AppData\Local\Temp\8b438c4ea785667b546774f545acdb3b45a0bb1f97ea28aaeb65c832b6af1a69.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4016-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4016-2-0x0000000004920000-0x0000000004B2C000-memory.dmp
memory/4016-9-0x0000000004920000-0x0000000004B2C000-memory.dmp
memory/4016-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4016-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4016-14-0x0000000004920000-0x0000000004B2C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | 10a8c03de70345104b2777e81e9990d3 |
| SHA1 | 4a479b93368905524e67967de2b3f326bd9925f6 |
| SHA256 | 1dd175971a80c3f8f674e0371d9ce16c8b66a1c580e3a94b77e1b73de24968e6 |
| SHA512 | bdd866c3fb23d0cdce5656593187ea4d100524d83e078d85ea09bba4766b94f2dfe6559cbac231e94766d119cdebe18f3ad0e3ec4b93045a0d39504db7d18986 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | f8a5724e6b8de6414778295dec5b3b06 |
| SHA1 | d76f390096d68ab4573de951888fa61b28d41fc5 |
| SHA256 | f893db16f9eb625ef46cdf63aca6ec9d0d6a0ca7134c58ae8598283b897983ef |
| SHA512 | a232fe88272456d80a7c4bb5561cbb1a678b05d76eccb229203473e79b21e4da2ba53820116faee1ac82989c9e0fddbc32d83b75050c589154153bd2e547e2c7 |
memory/4016-28-0x0000000004920000-0x0000000004B2C000-memory.dmp
memory/4016-29-0x0000000004920000-0x0000000004B2C000-memory.dmp
memory/4016-62-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4016-70-0x0000000004920000-0x0000000004B2C000-memory.dmp