Analysis Overview
SHA256
2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9
Threat Level: Known bad
The file 2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (673) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (224) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-19 06:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-19 06:41
Reported
2024-12-19 06:43
Platform
win7-20240903-en
Max time kernel
120s
Max time network
119s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Renames multiple (224) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "CWRLoader Object" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AppID = "{C04E4E5E-89E6-43C0-92BD-D3F2C7FBA5C4}" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "otkloadr.WRLoader.1" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ADDINS\\OTKLOADR.DLL" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Programmable\ | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{C04E4E5E-89E6-43C0-92BD-D3F2C7FBA5C4}" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Programmable | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "otkloadr.WRLoader" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe
"C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe"
Network
Files
memory/2228-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2228-1-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2228-8-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2228-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2228-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2228-13-0x0000000002FB0000-0x00000000031BC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
| MD5 | 424120ae36b1fc246e76b7f39352885e |
| SHA1 | 83d024181b276b7c546d8f88d2f0d87acbbf2501 |
| SHA256 | 82d1b85dcdf7a1d53c7a3db1a4aeaffc681b20b4bb74c8a6f71c0c6ca9675879 |
| SHA512 | ec6c1f2db7d76c5920a203c21d31f7ab21f3c3f3f4cf28e56eb9fd5d68fa9572957c22153a156bce608a1e6870c66af95e5d43df804ef6b9ffc5fa6a9bbb74e6 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 1967e547af90914209f14e69889180eb |
| SHA1 | 7f36c393b151cbf427e5b157f504956a707c5e5c |
| SHA256 | caf79b6efe8e59a925eb13e21de555733505fa98cb41dff5a3bd9a7b7fcbc875 |
| SHA512 | 1315f8e3a2bbe7716ca775127001c27cabf9abf7e4a27b49b5f839fda28c63d21e6a3eebc8dcef75e68475dd831cdd23391a87028b903093cdda81ff218654fc |
memory/2228-26-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2228-25-0x0000000002FB0000-0x00000000031BC000-memory.dmp
memory/2228-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2228-53-0x0000000002FB0000-0x00000000031BC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-19 06:41
Reported
2024-12-19 06:43
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
95s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Renames multiple (673) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "AudioCleanup Class" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\audioeng.dll" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe
"C:\Users\Admin\AppData\Local\Temp\2124b6cca004397d893eff47393bb82351152f5a3a7bfb5212fdadcc07d987c9N.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
memory/684-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/684-2-0x0000000004990000-0x0000000004B9C000-memory.dmp
memory/684-9-0x0000000004990000-0x0000000004B9C000-memory.dmp
memory/684-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/684-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/684-14-0x0000000004990000-0x0000000004B9C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | 5c67ca04c2c689d543f8224a4b830882 |
| SHA1 | 32a94d9a9b1bef10b1a938c1dc4b3d9c9af29f8c |
| SHA256 | 7e67eb8b20aa00da067da520658f75b215c571c22893bab42931f534c273b71a |
| SHA512 | 36409344c1d8de00145e3f33b4f2f277963137e11a562ca708903ddd3f66f0074c61ae1c01e66fc5e6fc3b5f58fac95a467ae57f51fe6a26d8e8314d825a8500 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 0b65e5e24eb4c73edb0522d7fd13e7df |
| SHA1 | 1333843c4ed0d8be95343ccd596ab0d9e9dbe403 |
| SHA256 | f2c5bb6ce2f709c38f137e710cfd86fea4626ac8534663588136dc4509964bb0 |
| SHA512 | 56a8f9942c853798d94366d60f5454bd044526df7a54764bdc2d670a3c8a1ccb72065a3eb1c65d037bbb19fbe4c2fe07f02d30a3d2dca3cc7add5f417386d998 |
memory/684-58-0x0000000004990000-0x0000000004B9C000-memory.dmp
memory/684-59-0x0000000004990000-0x0000000004B9C000-memory.dmp
memory/684-164-0x0000000000400000-0x0000000000616000-memory.dmp
memory/684-184-0x0000000004990000-0x0000000004B9C000-memory.dmp