Analysis Overview
SHA256
1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7
Threat Level: Known bad
The file 1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7 was found to be: Known bad.
Malicious Activity Summary
Banload family
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (222) files with added filename extension
Renames multiple (591) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:47
Reported
2024-12-27 19:50
Platform
win7-20240903-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Renames multiple (222) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\AttributeMask = "0xffffffff" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\DropEffect = "0x2" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\DefaultOverlayIcon = "%SystemRoot%\\SysWow64\\imageres.dll,-169" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Staging ShellFolder for CD Burning" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\Location = "@shell32.dll,-12590" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MergedFolder\Attributes = "0x8000" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
"C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"
Network
Files
memory/1644-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1644-1-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/1644-8-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/1644-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1644-13-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/1644-12-0x0000000000400000-0x0000000000616000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-1846800975-3917212583-2893086201-1000\desktop.ini.tmp
| MD5 | f99d955e2cff0d730e02b952fc2a7766 |
| SHA1 | 137956d0aae6fda9e8696da147c56ef5f0e3c3e2 |
| SHA256 | a7c9c8b6464c4a530f7c8368616ed382685af2d3e4cbebb0cab19c3b73a34621 |
| SHA512 | ac1c2a0ca8c7f98469950a71af86b7ea1718baa6e98b0b50be4516ec1d7517c8a41e81cab3433841f28f1795d52bfa2bf153ad0b71532e814082c40ede0f5536 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 775c9dddb951759d597f46494b06d0b9 |
| SHA1 | 5c4ca3a842cf1fc7007dba7a674b6add93f8ba9b |
| SHA256 | 33d1e6308caff720bedcfc28adee7e7695e9fe06cf6ccda43a89e5b046a1089c |
| SHA512 | 9d982db93ceaddb5091ee704d0a614424702af1798271f91f4eb520e8421d4b73a2f36212252b840186256a6603bd112fc9d1ad8286bd19bf82cd3dba13f4229 |
memory/1644-25-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/1644-41-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1644-45-0x0000000002F30000-0x000000000313C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:47
Reported
2024-12-27 19:50
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Renames multiple (591) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "5.4" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "SpShortcut Class" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "SAPI.SpShortcut.1" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "SAPI.SpShortcut" | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe
"C:\Users\Admin\AppData\Local\Temp\1f51c76ae0a8503beb1c9d65b93326a5eedeb36506cc404a5ad3ae381fb0acf7.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1680-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1680-2-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/1680-9-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/1680-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1680-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1680-14-0x00000000048F0000-0x0000000004AFC000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini.tmp
| MD5 | c2f304b35836e0c74ba8896f9eb878ea |
| SHA1 | 8c624c2c406e9a5c5af7ccafc4610f80a031ba24 |
| SHA256 | 2e7d2ec9a085ab0800294027243d67d5803a7347f0330f7de5a1dbcbebc32e23 |
| SHA512 | 0406dcd69d8538de4a06443d096e2377eb15ff630b8bc132ea0879e9cf098f25fdee4192077b42125cdb56bd6f3d9b04746b7f13abc0fa4b84c8d01b67bc5b48 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 14a6e14fe85a4f6831a2475db58d9ba9 |
| SHA1 | 567990ee09603d5f098e2af5e990306b7b51746d |
| SHA256 | 9bd4404b13d5c49a752a923deddaf78a14ac25e98ec1c8cf28a07c4238a322b8 |
| SHA512 | 62e24bab0fc1a2b7464633e35c2df922b5e538b6050317f413d201340d3e07c6fcbe6b6fdc76ca22aac0478de0086452699fb4bbb96c4f3c705d06b6abcf126a |
memory/1680-40-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/1680-41-0x00000000048F0000-0x0000000004AFC000-memory.dmp
memory/1680-108-0x0000000000400000-0x0000000000616000-memory.dmp
memory/1680-122-0x00000000048F0000-0x0000000004AFC000-memory.dmp