Analysis Overview
SHA256
df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c
Threat Level: Known bad
The file df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (479) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-07 08:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-07 08:21
Reported
2024-12-07 08:23
Platform
win7-20240708-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Renames multiple (198) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TreatAs\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AutoConvertTo\ = "{64818D11-4F9B-11CF-86EA-00AA00B929E8}" | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "PowerPoint.Slide.4" | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe
"C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe"
Network
Files
memory/2032-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2032-1-0x0000000002F90000-0x000000000319C000-memory.dmp
memory/2032-8-0x0000000002F90000-0x000000000319C000-memory.dmp
memory/2032-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2032-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2032-13-0x0000000002F90000-0x000000000319C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp
| MD5 | 29c8c71bb69b4436fbd70030cda8e3c4 |
| SHA1 | af9dc3b7b3f6bd3230ba1ff535b1dae05cd2bd2b |
| SHA256 | f2bcafed07723ec34f7008d36fa61babb90da3813e93b4971ad2740ac8ccd8e7 |
| SHA512 | c7573b880db9da2ccd8c4c33bad48a488c541ec3435c8b436951315ca0a29edfab3350fb1b146cc3948901d7c56a692556d25ae47e257e73aef9c03e56fa741c |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 3c9017fb14c58bc82db5304d1aca3d69 |
| SHA1 | feccdb8d883ff60ea45ea5a2d368419a3992e0f4 |
| SHA256 | c4c3f444e3cb94a164a6147cc591c1462e0bbb6f5a717a2ce3a759eb618197f5 |
| SHA512 | 596c091feaad2c83359238cf7436eece4bff27a4acfaad9abb8e44c5d48a981e4d4093f458105aef40e5bd40814b03128b7882f1a1733b50e7bf13c2797ece14 |
memory/2032-26-0x0000000002F90000-0x000000000319C000-memory.dmp
memory/2032-25-0x0000000002F90000-0x000000000319C000-memory.dmp
memory/2032-35-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2032-39-0x0000000002F90000-0x000000000319C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-07 08:21
Reported
2024-12-07 08:23
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Renames multiple (479) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft DocProp Inplace Droplist Combo Control" | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe
"C:\Users\Admin\AppData\Local\Temp\df71f6a029880bf5eaa547813e2d0a1af40e5d411cdcc7b7202f430d117e969c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.179.15.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
Files
memory/2992-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-2-0x0000000004360000-0x000000000456C000-memory.dmp
memory/2992-9-0x0000000004360000-0x000000000456C000-memory.dmp
memory/2992-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-14-0x0000000004360000-0x000000000456C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp
| MD5 | 41779652075011666c1384634c5531fb |
| SHA1 | b8a0ee6ccb0a41cca4852c88206c2616d79a23f9 |
| SHA256 | 631689ccabac4fb7203b94e2bef2cde69ad69d9cfd177ac7df45e40294383832 |
| SHA512 | 49267b582222cdd616e975ff2864336ba28331bf5bcb00f594fd445de6233383a9bb3dc1e92eb262c45ef54797ba0c8383a8cd91977b31976534eeb7316c1eff |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 8d2c9065febc86437d2ca8f4bad2b799 |
| SHA1 | 6cb15705c70f0e472aeda1786f7d796090cd1ecb |
| SHA256 | cd31b53e0509d27a3baa8b5103dad9940c95af06f6ff1f994c9aaab55dbd85a5 |
| SHA512 | 6a6b67ca3b8caf4cfbb8faa1fa2804685652a038d4897fb62a7894584de55d8754f9786994e8f0d9219bc89988840d5393a2dfd34d365a877009de7e36d56c62 |
memory/2992-39-0x0000000004360000-0x000000000456C000-memory.dmp
memory/2992-38-0x0000000004360000-0x000000000456C000-memory.dmp
memory/2992-96-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-110-0x0000000004360000-0x000000000456C000-memory.dmp