Analysis Overview
SHA256
872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e
Threat Level: Known bad
The file 872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (218) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (196) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:33
Reported
2024-12-27 19:34
Platform
win7-20240903-en
Max time kernel
60s
Max time network
18s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Renames multiple (196) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "mscoree.dll" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0\Assembly = "Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.JScript.JSAuthor" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v1.1.4322" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0 | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\8.0.0.0\Class = "Microsoft.JScript.JSAuthor" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0 | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0\Class = "Microsoft.JScript.JSAuthor" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0\RuntimeVersion = "v1.1.4322" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgId\ = "Microsoft.JScript.JSAuthor" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft.JScript.JSAuthor" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\7.0.5000.0\Assembly = "Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe
"C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe"
Network
Files
memory/1288-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1288-1-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/1288-8-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/1288-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1288-13-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/1288-11-0x0000000000400000-0x0000000000616000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
| MD5 | 27c052f0f1f49a18c0025babbdf336c0 |
| SHA1 | b8748496e8b559b89d01301a1e2c00feb19b8799 |
| SHA256 | d75a6e4ba2ba3e3a05758c333b75738331fcf41b39731354ea702e843054017a |
| SHA512 | b8a0f69e0677529940bff410c23b9ac5ba30389a2f22f715b892595fb9f753c1fcac1a72941f8f40731257cb2153c81b9586d52a66ae1f5412e5a250ede4c9ac |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 3478c6dac1b8f2e898ebaa194eccf9cb |
| SHA1 | 6ecde4a79f139a43fbba7f09c8c3bafff1e94b7c |
| SHA256 | 1afce688307d20c95c6d62a9e67b7623a8cbedda960ba3bb238cc4996c54a51e |
| SHA512 | 29750205942735d8b91a29f8cbf0a14b0f510e36282511811d855186535cdf17a1ea24ed04faabd0aabe189034e24b1087864642c125bf46b9a0dc907a78864b |
memory/1288-25-0x00000000030F0000-0x00000000032FC000-memory.dmp
memory/1288-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1288-51-0x00000000030F0000-0x00000000032FC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:33
Reported
2024-12-27 19:34
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
48s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Renames multiple (218) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "LocalCopyHelper" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe
"C:\Users\Admin\AppData\Local\Temp\872efda22a1a464d90ed06cbdfc178e6ba06536805ce79f04c54991f6c8cad5e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
Files
memory/1040-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1040-3-0x0000000004950000-0x0000000004B5C000-memory.dmp
memory/1040-9-0x0000000004950000-0x0000000004B5C000-memory.dmp
memory/1040-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1040-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1040-14-0x0000000004950000-0x0000000004B5C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp
| MD5 | 8daaa973b0d8f42bb6cea26bba049c5e |
| SHA1 | 74869250dce65880eef1ec2124b28140488dc7e2 |
| SHA256 | 2700013fb5831aeb333d4084ac06a7ae533f7ae223d9ca9c33b95004eb9eb9fd |
| SHA512 | 6ec329499973f004874ad57ac6d9859ac7766f55481b455a0907e25a0c280d665c6e7bf9c8f403c39f702073232419f70660ac43a970c28406897b19f9bb2897 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 433347446b092063034a1eff53519d3e |
| SHA1 | dc4ce88ced9d1d3f55dd9403034df91e0bbb195c |
| SHA256 | 4a52c675dae9a7fd6f926f5c0323baf0847cac391a1b421e215f1bdd410277ce |
| SHA512 | c53d467cbd43f8b36651117d2f9407e9e8827cdb55c5f54efb87d319bd0322ec1231d369e9c1bfaa3bb6b8695075a4e5891cf5b3950c211e46d87053d3d06f87 |
memory/1040-47-0x0000000004950000-0x0000000004B5C000-memory.dmp
memory/1040-46-0x0000000004950000-0x0000000004B5C000-memory.dmp
memory/1040-128-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1040-146-0x0000000004950000-0x0000000004B5C000-memory.dmp