Analysis Overview
SHA256
871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3
Threat Level: Known bad
The file 871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (195) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (221) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:35
Reported
2024-12-27 19:36
Platform
win7-20241010-en
Max time kernel
60s
Max time network
17s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Renames multiple (195) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Outlook Office Finder" | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe
"C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe"
Network
Files
memory/2992-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-1-0x0000000003120000-0x000000000332C000-memory.dmp
memory/2992-8-0x0000000003120000-0x000000000332C000-memory.dmp
memory/2992-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-13-0x0000000003120000-0x000000000332C000-memory.dmp
memory/2992-12-0x0000000000400000-0x0000000000616000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp
| MD5 | 08acfa591e939224325dc08d34e6681b |
| SHA1 | a9969a8f3b7f710d2e6fdcf29991ca054f7b5aaf |
| SHA256 | 1eae398064aa5d08e85b8788ba1651d4700c827e38dbe832977ba7fca95d41e6 |
| SHA512 | 7b7c56dc9048d1bed58d2a321a7fe1ebc48f03bca34fbea981cb0e5cdb16a8f0326529b473ed8592e12a0d67c715c24b668d505caac715fd45339bd63aaaa159 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | bf37e951e4b51a4f3bd17672b9a9e981 |
| SHA1 | 6a35068178fe1283d33267ac72a15409b455d0b0 |
| SHA256 | 1a5c87c0dea261a8d5d9838b79d60b9d930f0ce0ae3eb8bc822acf69c16b0551 |
| SHA512 | 6af159fec071bfc6cd52bd2555a61820731b5c5a2912ad413fcf35c0bd6d3d09f2288c61b6d8826fafb615099825a71794478806f111dba2aa09f9b050dd05ee |
memory/2992-25-0x0000000003120000-0x000000000332C000-memory.dmp
memory/2992-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2992-47-0x0000000003120000-0x000000000332C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:35
Reported
2024-12-27 19:36
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
54s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Renames multiple (221) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%systemroot%\\SysWow64\\comuid.dll" | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe
"C:\Users\Admin\AppData\Local\Temp\871801352c3007a3b7e6bbee8b6d14617ef224ef6cd4cdc4c9129bfe076be2a3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
Files
memory/1268-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1268-2-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1268-9-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1268-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1268-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1268-14-0x0000000004960000-0x0000000004B6C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp
| MD5 | 55af2091c4e879d72b7052d0e10c6427 |
| SHA1 | 081342155e671cedbb7b6081bfe4ba658234d0a6 |
| SHA256 | 500010a2d0dc5ca987977f5b4d7d8dcf4cdcb9b5f16edd4559c0cd2de6da09f8 |
| SHA512 | 0a808100bb91df219fd833387dc6b1f35ed46b7c61ff7f3d45ad7b3fe09799aed73043a81ac842a7060d78dcabea6fe4fec10d7abd49702194b4c2d8286bf0b2 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | d7df79ebf8f97e7347105311751b8651 |
| SHA1 | 4424f8bb04029245038c66482ed258ac5c7f6caf |
| SHA256 | d63f1d70b691ad332fc5d774f4700d6a97edab71da66370d2ac67d3bd0dbd0d1 |
| SHA512 | d80c7a5d9c468044a9b93dd654629782e826899b712a06026ca37268d811eabff235d7e3ced011cc5b7b8b26601ac036221a2bcbdba9811706c1bca23d330fae |
memory/1268-49-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1268-48-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/1268-134-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1268-152-0x0000000004960000-0x0000000004B6C000-memory.dmp