Analysis Overview
SHA256
b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058
Threat Level: Known bad
The file b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (196) files with added filename extension
Renames multiple (982) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-19 01:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-19 01:21
Reported
2024-12-19 01:24
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Renames multiple (982) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mfc42u.dll" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Picture Property Page" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4744-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4744-2-0x0000000004A30000-0x0000000004C3C000-memory.dmp
memory/4744-9-0x0000000004A30000-0x0000000004C3C000-memory.dmp
memory/4744-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4744-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4744-14-0x0000000004A30000-0x0000000004C3C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | 7c4b4546f09b7d3709ad4c0a412b1fbd |
| SHA1 | ea7105a761bab4e925f33abb8c5778f61b9c8be4 |
| SHA256 | 68d52ef92eebe4e98fbab289721dabb10de42cba99c47874909812a8c97cd238 |
| SHA512 | 44e56d1a5f0e22b79246932108e74235239eca9e79ec493cb2490cb6b4dd8295ad1d6ec285ca13127085409123c3f432aec05fbaba73e7a55dc9634aeeb90d38 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | e4a84fd314b4d407b751e4c8d3a0d06d |
| SHA1 | 24e454ec8a63bd851aafc9f984349d6b05a0bf95 |
| SHA256 | 7b46901d6d165021426cf8ae0bf9593af90a05570cb564f04a2934651a8ab64e |
| SHA512 | f12f755d7f96b979763d57d1f89a0134fd7491452aab8e5fd18e9aa07413e410948da43fd812e6ce7c9cbb443c1306024904350eb18377755e9325f53e20e47a |
memory/4744-60-0x0000000004A30000-0x0000000004C3C000-memory.dmp
memory/4744-61-0x0000000004A30000-0x0000000004C3C000-memory.dmp
memory/4744-176-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4744-200-0x0000000004A30000-0x0000000004C3C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-19 01:21
Reported
2024-12-19 01:24
Platform
win7-20241010-en
Max time kernel
150s
Max time network
20s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Renames multiple (196) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{F5078F18-C551-11D3-89B9-0000F81FE221}" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "3.0" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml3.dll" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Msxml2.SAXXMLReader" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "SAX XML Reader" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Msxml2.SAXXMLReader" | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe
"C:\Users\Admin\AppData\Local\Temp\b80f9c5be3caf9cd0ea280c000826349ca6b551937137ed8620986d9fd688058.exe"
Network
Files
memory/3024-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3024-1-0x00000000031E0000-0x00000000033EC000-memory.dmp
memory/3024-8-0x00000000031E0000-0x00000000033EC000-memory.dmp
memory/3024-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3024-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3024-13-0x00000000031E0000-0x00000000033EC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp
| MD5 | bce3d286419157692e2da452ed050aa9 |
| SHA1 | 3d94e82a20959281aaac0677854525bebd68b4e1 |
| SHA256 | f225b985db5cdc517a1bfef8bfefe5d5b537992fccaf91244dcf983193efbd14 |
| SHA512 | 2762bad04965b0016f15ad0915bc3df298585bd5881d8d27b177b0d04db4dfa73ad6679825cba8126f38b9da10951315bee64df72cb403ad5e60edd353e552f6 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 7efbe563aa47952f3e3d1b63cd1b1080 |
| SHA1 | 41a33fe9d18369449c99a2ebbfafc4e67169361c |
| SHA256 | 59a633b10cf2c2eeeb8a7f5d17d4fe132cee25c5a85c33984febc3a9f7cecb71 |
| SHA512 | 58f3cdbd2f264fe40c862b68b804606dce99e8cff900cbc9e3da0e8941f193e026a66d40a307301afdd9ffbc3e464883c7c0575901fb806144e2b8e4083cc61f |
memory/3024-23-0x00000000031E0000-0x00000000033EC000-memory.dmp
memory/3024-29-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3024-33-0x00000000031E0000-0x00000000033EC000-memory.dmp