Analysis Overview
SHA256
8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41
Threat Level: Known bad
The file 8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (169) files with added filename extension
Renames multiple (219) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:27
Reported
2024-12-27 19:28
Platform
win7-20240903-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Renames multiple (169) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Microsoft.PhotoAcquire" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PhotoAcquire" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Microsoft.PhotoAcquire.1" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe
"C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe"
Network
Files
memory/2212-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2212-1-0x0000000002F80000-0x000000000318C000-memory.dmp
memory/2212-8-0x0000000002F80000-0x000000000318C000-memory.dmp
memory/2212-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2212-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2212-13-0x0000000002F80000-0x000000000318C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
| MD5 | febcc77bc5c17a5bede6bacdd714c578 |
| SHA1 | 4dc9746a3169b5fec36fe4e9cb88cd0ef877ba7b |
| SHA256 | 9066d03483d868548972720bf31baf219a7994e6f32235d42255f5d1524db941 |
| SHA512 | d7026b180a2a6bdc4b7f3d11477a420dc5f16101c87dd513435d420b515d096ffd5b402ef0a89c065a70fd860eae9f29098de9d837006c659e755177576d5dac |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | e3d84dea7cdefd9b52ef27dfea23e688 |
| SHA1 | c52315fc5516e0816f9b1082f2ca1ba502ce18cd |
| SHA256 | b1bdd67ee5bc90b965e5b049067d9a29c4a024df2ae23d34dadf32771794245b |
| SHA512 | bec1d67691ad7644903272208cf5509d882dc96407a792305a2e4e0ca2d74979454855866ba17b03e730f0742cc3b4c0450812cd1e302f7e07be21f7c51bdf2a |
memory/2212-25-0x0000000002F80000-0x000000000318C000-memory.dmp
memory/2212-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2212-47-0x0000000002F80000-0x000000000318C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:27
Reported
2024-12-27 19:28
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
36s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Renames multiple (219) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "FormHost.FormHost" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "FormHost Class" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\mmcndmgr.dll" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "FormHost.FormHost.1" | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe
"C:\Users\Admin\AppData\Local\Temp\8aa50f7938c30c4fe342eda08f87ab836c47a9812eb939e765fae3be39d4bc41.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
Files
memory/4244-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4244-2-0x0000000004A00000-0x0000000004C0C000-memory.dmp
memory/4244-9-0x0000000004A00000-0x0000000004C0C000-memory.dmp
memory/4244-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4244-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4244-14-0x0000000004A00000-0x0000000004C0C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | 3a27eda7071e164e9fd143d10c77f9bf |
| SHA1 | 02166a78baa9f73278033d120dceacbdb765db5e |
| SHA256 | fa2155259e606a3c34da8fb58f8c4ee6a1984fed84ee9d3f65581ff99db41fce |
| SHA512 | 58f7d472792421f39d9facc72d1afcd24bbcacb2264d2f540da7b81f3a00120b2182df2d80d6a8958c93f9cacc0aa119078aaf371d91efa4c3ae3a76abc778bb |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 92ee50338ca406a40d69019a28dd6bf5 |
| SHA1 | 43f9ef413229e37d89cac3ba872b8b985866da34 |
| SHA256 | b67e23a9768e6768ff5c2e3d27008478818c880060b4bc4f462142f95e42a97b |
| SHA512 | 14a76ebbd947b1e5ff9d201f41268a843a956d610adff916046f701ce9887f5c35dab63f309a5fd5a1ec85898dee4f0db5f34f709b3249fb669e878e5d627a18 |
memory/4244-42-0x0000000004A00000-0x0000000004C0C000-memory.dmp
memory/4244-43-0x0000000004A00000-0x0000000004C0C000-memory.dmp
memory/4244-112-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4244-124-0x0000000004A00000-0x0000000004C0C000-memory.dmp