Analysis Overview
SHA256
a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58
Threat Level: Known bad
The file a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (354) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-05 01:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-05 01:27
Reported
2024-12-05 01:30
Platform
win7-20240903-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "C:\\Windows\\SysWOW64\\msscp.dll" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe
"C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe"
Network
Files
memory/1620-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1620-1-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/1620-8-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/1620-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1620-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1620-13-0x00000000030A0000-0x00000000032AC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp
| MD5 | f6fe8385d95098010eac831cec09c7d9 |
| SHA1 | a66b6974038c6b687071e286ccaf8c2e3dab9b66 |
| SHA256 | 614a03cd2fe4bb0259076d61d9f50ada563a03837b24af1dd98f9deee298cb64 |
| SHA512 | d4e8cd6ef4a48f1b247f9119cdb1674ed65d70d6260f81860c06498f328b57b8ca8f0fc95b5e0df63ce9dc150a76f89fcc642ad3ca2709a6ad6be72382626763 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | fb6d90e6447ecfee4d232343c8f72735 |
| SHA1 | 86adc15a8f2e64629e45be3a7161af32eca0630f |
| SHA256 | dc9c7fc04e6c316d559eea266905a5aed57f31c47dbd246ba7f7784e3edc98ea |
| SHA512 | 0e2400bbbf21ccb3e74c697df43bc2666ded9ae88cd52b289823d252f0f1d21aa5d5cdc46f753f550f5e29801614e3e384753612673d558b8c8f8f049625c901 |
memory/1620-26-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/1620-25-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/1620-37-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1620-43-0x00000000030A0000-0x00000000032AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-05 01:27
Reported
2024-12-05 01:30
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Renames multiple (354) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{03837503-098b-11d8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "TraceDataProvider" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "both" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "%SystemRoot%\\SysWow64\\plasrv.exe" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PLA.TraceDataProvider.1" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\pla.dll" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "PLA.TraceDataProvider" | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe
"C:\Users\Admin\AppData\Local\Temp\a85eb7fbf3dd9221dd2751e7b1370b6b10f221b95151017f611b5c3305e96e58.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/4828-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4828-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4828-9-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4828-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4828-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4828-14-0x00000000048F0000-0x0000000004AFC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp
| MD5 | 898ce13322d9f4a440f05ff60e391d34 |
| SHA1 | 15ecad2539556eeaf45a0ed86a4b9be18b0a1845 |
| SHA256 | 09e31213c880dc41264029ae27a69fe297b57179d9603285aa0e6f8a660adbe2 |
| SHA512 | 5afbe54118fa40d2afb96a389f0bd683ecd0fa613d760cbe72ed8f95264a608da1807c733a8e13b65a9976947fcfab3e10749a67969ce9384ce3b30da456a867 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | e79af2eb2d8ef60dac50e3404dbad23e |
| SHA1 | 0fd3ca8521289a0855f4c985b386a538f59f2b47 |
| SHA256 | c4084fdfee8e12b5a27acb27668a7030a164e1425e06286fb0d9ab3eeaf3e6b0 |
| SHA512 | e9c22d14a2baaaecaf6fecd7a2d149b47142fed37882390843969b8b40f82bc69e35475ab64338f6fe3e3c689886d1efe74f125e546f7ebc9eed43ab41aed560 |
memory/4828-35-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4828-34-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/4828-80-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4828-90-0x00000000048F0000-0x0000000004AFC000-memory.dmp