Analysis Overview
SHA256
3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1
Threat Level: Known bad
The file 3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (249) files with added filename extension
Renames multiple (197) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-19 07:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-19 07:17
Reported
2024-12-19 07:19
Platform
win10v2004-20241007-en
Max time kernel
61s
Max time network
103s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Renames multiple (249) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "HandWritingSkinProps Class" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%CommonProgramFiles%\\microsoft shared\\ink\\tipskins.dll" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe
"C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/4328-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4328-2-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/4328-9-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/4328-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4328-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4328-14-0x0000000004980000-0x0000000004B8C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp
| MD5 | 7960f30dc4cb86737dfd69c678bb196f |
| SHA1 | 526a40fdd11c43b50dee302d30604406660b303a |
| SHA256 | d967e1ad8a393020c9b1ca33feaf8da2a32e88745d12461804fd54cc5be032cc |
| SHA512 | 11c7a6a24418208d4d66499f864e766a479bb80c5bdb9d27a3c73d5a628f7f2df5b0ff5705369670e201f9bae985fb0ba42dc3e047d1c40fd9be462a831941c3 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | c07f1af242df3f08bdc878450aa64642 |
| SHA1 | e80d35ac6540be9bf1c9b7e099f4ef05eda5a6c2 |
| SHA256 | 892053378b418df08fe79857c35969657ab391c0a73abb548124d7c60604aa0d |
| SHA512 | d911b01eab9a1ed72edb86124adb0499858be635bf2cf96def6c7199c95de606350b2c13f6f2912981115e345e5b2237e86c9aa61da966e80a857d8a69d3147a |
memory/4328-58-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/4328-59-0x0000000004980000-0x0000000004B8C000-memory.dmp
memory/4328-170-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4328-192-0x0000000004980000-0x0000000004B8C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-19 07:17
Reported
2024-12-19 07:19
Platform
win7-20241010-en
Max time kernel
120s
Max time network
19s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Renames multiple (197) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Vbe.Interop.CommandBarEventsClass" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0 | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\14.0.0.0\Class = "Microsoft.Vbe.Interop.CommandBarEventsClass" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe
"C:\Users\Admin\AppData\Local\Temp\3147cdf214d6ea10f730524989e5179c7e6299bd2bdc60cd4c651b0a10d98ae1.exe"
Network
Files
memory/2660-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2660-8-0x0000000003010000-0x000000000321C000-memory.dmp
memory/2660-1-0x0000000003010000-0x000000000321C000-memory.dmp
memory/2660-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2660-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2660-13-0x0000000003010000-0x000000000321C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3692679935-4019334568-335155002-1000\desktop.ini.tmp
| MD5 | d5c3d7c256dad91033706728822ebcd8 |
| SHA1 | 9e8b528fe700d40264877a7e7710780a75fdc964 |
| SHA256 | bb663622960284c898b6984c0adec40f5558b76d33ca6c748fdcb0e7e2d87e8c |
| SHA512 | 2aa77da077c36d12d1fe5e6ef33811400f53213b392aeb80eefb8796927d5860becd024e04b452b71230fe21429b0f711c0cdf05e9cfdde9fbae333613a6d1a6 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 29790cad7a784df2919f911565155d77 |
| SHA1 | f7275b97caa81ae18a01f79ab0d6ea57d5b6d3d5 |
| SHA256 | 3380dc93b64a425df883bbaeeb6f2ac556ebf5125a48f61997f7dcffea0fbe0f |
| SHA512 | 242fcfab9db80c55bf15307875dbbcc4621fb8e6a6d82354cb2b4dc8babb9749aa40e920f98006b3ca2af60f5ea9ba29ac1f837c079ac3ef0d1af2d21cae00f9 |
memory/2660-23-0x0000000003010000-0x000000000321C000-memory.dmp
memory/2660-29-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2660-31-0x0000000003010000-0x000000000321C000-memory.dmp