Analysis Overview
SHA256
1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7
Threat Level: Known bad
The file 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7 was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (188) files with added filename extension
Renames multiple (221) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:45
Reported
2024-12-27 19:46
Platform
win7-20240903-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Renames multiple (188) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Search Protocol URL Generator" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\SearchFolder.dll" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
"C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"
Network
Files
memory/2240-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2240-1-0x0000000003040000-0x000000000324C000-memory.dmp
memory/2240-8-0x0000000003040000-0x000000000324C000-memory.dmp
memory/2240-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2240-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2240-13-0x0000000003040000-0x000000000324C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini.tmp
| MD5 | 773c96c8fd1cccb4576d0695988569d6 |
| SHA1 | ac1bcc59135ed5a6979ee80baeb0d7ede9658eed |
| SHA256 | 7eb500a43248ff01e326aa055ba0a0732fc4c48fc4813c4c0564b6a20e704ce9 |
| SHA512 | e4ff01b12d109a28aa40506cc576edce9516e10091b100caa53c34d40be45c5ae0d60aaae3e280a6420a27e4aa4b769fdff088e626a7aa5a711be23a6f9b7593 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 05635ec8722130894b6a7e38243b1b40 |
| SHA1 | b2a7700499183663402f0c487dac91c91ff0f12a |
| SHA256 | f334af98ba305191ae70b5711a638eed6fa2f68d2b948d6e65c7d531cc153443 |
| SHA512 | 576d65cbc98382a43d10a8167804ea7e27e9b0894aedeb936eeca4552095be36042573cd3549debb84d33134db5f6865ee1de4d2c3be961ad3fdfd3158d2d595 |
memory/2240-25-0x0000000003040000-0x000000000324C000-memory.dmp
memory/2240-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2240-51-0x0000000003040000-0x000000000324C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:45
Reported
2024-12-27 19:46
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
39s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Renames multiple (221) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "Microsoft.PhotoAcqOptionsDlg" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PhotoAcquireOptionsDialog" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Microsoft.PhotoAcqOptionsDlg.1" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
"C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.129.81.91.in-addr.arpa | udp |
Files
memory/2876-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2876-2-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/2876-9-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/2876-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2876-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2876-14-0x00000000043A0000-0x00000000045AC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3350944739-639801879-157714471-1000\desktop.ini.tmp
| MD5 | 3b099f7e615c74160f5060e5c0e406df |
| SHA1 | 204cfc3a2a9bb971d9200c2d51c3e3c9e20d182e |
| SHA256 | 302943a89e3b029abce90004992e963ff39897d48c1a8e321e76b32ffca3c59d |
| SHA512 | e1ef6a409c95996b663b73c4b8ca58397117950c1bbd945a4d233e23e22c7df04e0533600cb93f08537b2031d6ce866cc0f1dea79c89b8a8e3ef5039dbe830ef |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 74e9775918550a78aecb21484fdf8397 |
| SHA1 | 4882b163284f2eb5c2248f247ef0edeb927fc9d8 |
| SHA256 | 8e1f1775bcb505e66705c663828f1b3bf8a65ec413c8459d1422ccb86826a6b4 |
| SHA512 | 4b015f580d1930568e694ee29d0fecdbec0d272b98eab91b0f889e2fb55c8c76932f33b48d81559c7205cfd45f5eb081cec6d23c16c9af9dcda7726a02cbe865 |
memory/2876-41-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/2876-40-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/2876-106-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2876-120-0x00000000043A0000-0x00000000045AC000-memory.dmp