Analysis Overview
SHA256
0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0
Threat Level: Known bad
The file 0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0 was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Renames multiple (205) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (106) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:47
Reported
2024-12-27 19:48
Platform
win7-20240903-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Renames multiple (106) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrobj.dll" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "ScriptletHandler.Event" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Constructor for Scriptlet Event Handler" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}\ | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe
"C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe"
Network
Files
memory/2400-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2400-1-0x0000000002FD0000-0x00000000031DC000-memory.dmp
memory/2400-8-0x0000000002FD0000-0x00000000031DC000-memory.dmp
memory/2400-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2400-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2400-13-0x0000000002FD0000-0x00000000031DC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp
| MD5 | 9073dc73b7a30d3a2d3e9b4b3c68e1b6 |
| SHA1 | 0b3af4094781268ba3aea1ae3d6460b58429240d |
| SHA256 | d7fce491e8a06b52add12a81936296581eb82c48f8c7a6a7c7c5ad9bafafade5 |
| SHA512 | 1846d589f581ba848298741a6fb890cfe3b14f8b91d45c455f674f2b59ec6d92bbdf837b7e9554b47df172a4a534558ceb7ea609fa19eecd99a7ebc9d3a2b084 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 56695c83072cd89293e8424ffab4bebf |
| SHA1 | 29560b916e6bb2208e3e5f0bf5dda3da9a9a795c |
| SHA256 | 89985e05e3fb8d5b7db6530d3212c0825e3776d73093b2279f861796b9626507 |
| SHA512 | 4fa2f1df4d26e454e5492c263b66be46f74bc7896430b8a5c090b73fdee1442249bfa5454180d700338f3973c92d2f3a264605ca9dbf1ae9c72763f5e572688c |
memory/2400-26-0x0000000002FD0000-0x00000000031DC000-memory.dmp
memory/2400-25-0x0000000002FD0000-0x00000000031DC000-memory.dmp
memory/2400-37-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2400-43-0x0000000002FD0000-0x00000000031DC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:47
Reported
2024-12-27 19:48
Platform
win10v2004-20241007-en
Max time kernel
59s
Max time network
33s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Renames multiple (205) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "PBDA DTFilter" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\CPFilters.dll" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe
"C:\Users\Admin\AppData\Local\Temp\0c8e206afac9f49721dcf36c596087a37462ee5be33de925ee8377f7fc5d6fe0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
Files
memory/4688-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4688-2-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/4688-9-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/4688-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4688-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4688-14-0x00000000043A0000-0x00000000045AC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp
| MD5 | 873285c87fe8d382b431ac3a86f5276b |
| SHA1 | 9d7df6333c938c76496a7cbb69fc0a69322ab67c |
| SHA256 | e568aa53cdc62917da3800c7d8c607426458a19da601b41696bc93023a360ca9 |
| SHA512 | 5aca9ccfc3bc2b420614852fc58da5f952868cae9d61e7bec07ceecbaaa67c65cd737ca43ef58b3020984f91e9dba09328e526317c2804f068ce1a0565e837bd |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | f48f2c7df95c7230c189f1894ec15fa2 |
| SHA1 | 7612c8b065b45d5e51c936dca56149d78bcefc34 |
| SHA256 | 4d15b3c0a1a157b3a03878346451ea7e49dc56909d0391ef6f832965b2b00d9e |
| SHA512 | 7124d3e6225994d6d65acf34d2d6acb801cfce13ff4f568d6bf7b89f51aa58d296b0f97f2b312d4319a5b9d55e245186f27b9751e946ce67d891e6bf7352a7ee |
memory/4688-32-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/4688-33-0x00000000043A0000-0x00000000045AC000-memory.dmp
memory/4688-72-0x0000000000400000-0x0000000000616000-memory.dmp
memory/4688-82-0x00000000043A0000-0x00000000045AC000-memory.dmp