Analysis Overview
SHA256
871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845
Threat Level: Known bad
The file 871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (222) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (175) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:36
Reported
2024-12-27 19:37
Platform
win7-20241010-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Renames multiple (175) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "SAPI.SpShortcut.1" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "SAPI.SpShortcut" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "SpShortcut Class" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "5.4" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
"C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe"
Network
Files
memory/2556-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2556-1-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2556-8-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2556-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2556-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2556-13-0x00000000030A0000-0x00000000032AC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp
| MD5 | 133ddefa9649d34a4d0b7c2aed1aa7a4 |
| SHA1 | cc8c75ec851ac3c9618b5d6b43acf34216a152f5 |
| SHA256 | bdfa57d098b5166f1b3e6af183ae933b80509e16899439310402b0a6906fad63 |
| SHA512 | de35690291700685f3ce397cc69aed841c80174a9e70018d78e59bf688d0d459ca05a13d3e710db50b5cbc2b03e41a8812fce7c1eaadf1da0a2e233ffbcd3514 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 83bec0edcf2708fc3e4e865aca1b7b0d |
| SHA1 | e10831088b7e242e7228b49e8dd1358847a8850e |
| SHA256 | 92a391c490b6cb7155021cb0e3e6f0d0a3ff7853b5c4e362ee6fa67dd9cf4b94 |
| SHA512 | 6915a594f9f5c731d0c19f49aa2b860c4663afc861bcb690f83770d38802669e8cd6613fb1a9478422aaa93565d75da158457a6c1ea30650a36652b23f60a36d |
memory/2556-25-0x00000000030A0000-0x00000000032AC000-memory.dmp
memory/2556-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2556-45-0x00000000030A0000-0x00000000032AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:36
Reported
2024-12-27 19:37
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
43s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Renames multiple (222) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft AutoComplete" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe
"C:\Users\Admin\AppData\Local\Temp\871f94756206d57420b846c762180555e69a451b7d18ae9bcf5171f855c51845.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
Files
memory/5056-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/5056-2-0x00000000043C0000-0x00000000045CC000-memory.dmp
memory/5056-8-0x00000000043C0000-0x00000000045CC000-memory.dmp
memory/5056-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/5056-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/5056-13-0x00000000043C0000-0x00000000045CC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2878641211-696417878-3864914810-1000\desktop.ini.tmp
| MD5 | 704e3d81a837ce2df20f17ff7afe54cf |
| SHA1 | 39d394d7f4985b28e3f7258caf39b42eaa606a92 |
| SHA256 | ebcccc934cd2668083bcb9ca518886da2e4ffd66e6c791acc8a2e9f02e20aeb4 |
| SHA512 | b6245a67f47ee241253f5e63f4b01926030fe5786f24a20d8157014db0de5cc3081ae2ba0e948afdecd30bd583c460c2946593cd24ed8dbf13e9b10ccd1f517c |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 26970287a2104ad8d053953fae71e416 |
| SHA1 | 8921659cdf3c6a6f88fafe5f1eba7eb9650c65cc |
| SHA256 | 50c710450b2a3df13000919bbcacac6187dc0deebebdf083747c3e13b68acdb3 |
| SHA512 | e6c0475b7f9f78d045102692e103912318bd440fc40c5d26de30906f832c110c4513e5d798669641534a385d5750db4e14c5a836a516f5e8e07f5550a0f6a8d2 |
memory/5056-37-0x00000000043C0000-0x00000000045CC000-memory.dmp
memory/5056-38-0x00000000043C0000-0x00000000045CC000-memory.dmp
memory/5056-103-0x0000000000400000-0x0000000000616000-memory.dmp
memory/5056-117-0x00000000043C0000-0x00000000045CC000-memory.dmp