Analysis Overview
SHA256
91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca
Threat Level: Known bad
The file 91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (234) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (197) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:01
Reported
2024-12-27 19:02
Platform
win7-20240903-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Renames multiple (197) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "CLSID_PathCompleteProvider" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\SearchFolder.dll" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe
"C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe"
Network
Files
memory/2336-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2336-1-0x0000000002FC0000-0x00000000031CC000-memory.dmp
memory/2336-8-0x0000000002FC0000-0x00000000031CC000-memory.dmp
memory/2336-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2336-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2336-13-0x0000000002FC0000-0x00000000031CC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1488793075-819845221-1497111674-1000\desktop.ini.tmp
| MD5 | a81116366aa414b01012bfb10fa8aba2 |
| SHA1 | 98653be0cefeb1898e96237ee24934d9976d8d49 |
| SHA256 | 65ada409f9eb12f880d56e3a7ef17126704d3e592b45440958bdc8e26d87fed5 |
| SHA512 | 23449ed6699aba7f31c619da359d003a8f40739c2f6e2bdae72232360dee18809c8dfddbe7981c2fabba108c8c11fee1dded3168f878ee4b9693fb797d0eca0e |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 0c8d04232aabb0089a5ef2807e1526cd |
| SHA1 | c0097f99a2cbbff8c33b436e6279af0f65aaf718 |
| SHA256 | f024cb2f712a4117e86613933bd6d3d9d4678c1deafed247f46e08b857592277 |
| SHA512 | 867d5b6e4db6a7c6e8164cb4d1ed982de168f1d7dfc92642a088d291dc2cf5131ee62190ff4571d68bda0b7fcec7a246ffb5250fcc9435d8b21d72ab1ced0986 |
memory/2336-25-0x0000000002FC0000-0x00000000031CC000-memory.dmp
memory/2336-45-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2336-57-0x0000000002FC0000-0x00000000031CC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:01
Reported
2024-12-27 19:02
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
34s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Renames multiple (234) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCorEE.dll" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft.Vsa.Vb.CodeDOM.Location" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Vsa.Vb.CodeDOM.Location" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29} | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Vsa.Vb.CodeDOMProcessor, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe
"C:\Users\Admin\AppData\Local\Temp\91c57e78c58fe8d4600e8963a262ee1433f79cf09c751991846feeb4449629ca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/4596-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4596-2-0x0000000004870000-0x0000000004A7C000-memory.dmp
memory/4596-9-0x0000000004870000-0x0000000004A7C000-memory.dmp
memory/4596-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4596-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4596-14-0x0000000004870000-0x0000000004A7C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3227495264-2217614367-4027411560-1000\desktop.ini.tmp
| MD5 | 68dc335be6516dfbd5069d20904f84b6 |
| SHA1 | 9457f5d23c08b86eef60faf52dd14c0cd0e040eb |
| SHA256 | 523a1c23a4f4bdb79aec2becdb541763fd7b14eb7b7b73b387a63e6d5f0f093e |
| SHA512 | f8298c3b47314592bdc2ec81e0719e13a568da2682c9d0f5394df15ac1df3083c7209da8a5184bd72590c6b046ae7e9453c170965d9ae87edfea71c93d2c6816 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 2eb6844819f5324361b57f5fb07801e6 |
| SHA1 | d372e9d7d6ee5a0a8c641bd6a92454f3d2c8cb42 |
| SHA256 | 9f88666ed61a78a86975e55ba940660e799e000feec641a39a8f37092d5078f0 |
| SHA512 | 4974295246ef53a3cd1c4468dd49ee7ebbe7d76f55d81d68be404509bec4ea68ae0f06f91b916cae500d5443bff67285ab6a056bdb7c14b89892f9b1c764c463 |
memory/4596-54-0x0000000004870000-0x0000000004A7C000-memory.dmp
memory/4596-55-0x0000000004870000-0x0000000004A7C000-memory.dmp
memory/4596-148-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4596-168-0x0000000004870000-0x0000000004A7C000-memory.dmp