Analysis Overview
SHA256
7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512
Threat Level: Known bad
The file 7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (218) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (187) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 19:48
Reported
2024-12-27 19:49
Platform
win7-20240708-en
Max time kernel
60s
Max time network
16s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Renames multiple (187) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "DAO.Index.36" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "%CommonProgramFiles(x86)%\\Microsoft Shared\\DAO\\dao360.dll" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "dao.IndexClass" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "DAO.Index.36" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe
"C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe"
Network
Files
memory/2308-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2308-8-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/2308-1-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/2308-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2308-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2308-13-0x0000000002F30000-0x000000000313C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3551809350-4263495960-1443967649-1000\desktop.ini.tmp
| MD5 | 0522d72ec2be1aaa14fb44bc916901b8 |
| SHA1 | f59a94206d98ca19545f1098415d77b3cc43fc67 |
| SHA256 | 8d8e6bf970ed8f43b3fad8e40d44405a10026c8e52ed897d13c628c203f11eea |
| SHA512 | 19477b4b0d6426c681ae58b9972eb0dc2111519b13239d43aa4597a4ebcc999198c3dde8e93bc024e33d42fae302a890934ea606563a40fb774d541b0a5590de |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | 2cbb1ed8693fc5b5e24f04d2736a64f5 |
| SHA1 | 3f48e6e0833265bd53e833d7220147c40eb26a21 |
| SHA256 | 7ec23c8055e598213e75427bb9149210d99453b32fd260d16eca07e4622e25ca |
| SHA512 | 636ca849a8bd1fe057985d01e2a23251bfe68234e14efd13d1b4311967c3d9aba9517887615f0ad5d5e26e6b282ec3d71c9fe793f54eb2e8fe805d3e82343b81 |
memory/2308-25-0x0000000002F30000-0x000000000313C000-memory.dmp
memory/2308-43-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2308-49-0x0000000002F30000-0x000000000313C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 19:48
Reported
2024-12-27 19:49
Platform
win10v2004-20241007-en
Max time kernel
60s
Max time network
35s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Renames multiple (218) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft IME (Japanese) IFEDict" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "MSIME.Japan.FEDict.15" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\VersionIndependentProgID\ = "MSIME.Japan.FEDict" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ = "C:\\Windows\\SysWOW64\\IME\\IMEJP\\imjpapi.dll" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe
"C:\Users\Admin\AppData\Local\Temp\7a864df50615c0db2bf24cc59f14fe1c4702d930af6e5db496ef5c5263d5f512.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/384-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-2-0x0000000004940000-0x0000000004B4C000-memory.dmp
memory/384-9-0x0000000004940000-0x0000000004B4C000-memory.dmp
memory/384-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-14-0x0000000004940000-0x0000000004B4C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-4089630652-1596403869-279772308-1000\desktop.ini.tmp
| MD5 | 17679f1d2769067c6777a59e74201773 |
| SHA1 | cf7d1729207743c5329abcaa4077e61017fd9e72 |
| SHA256 | d01d0f07f5cb7f20f5313fe9fdd5c457ea297d15d8748fdfae23f0864aa3b453 |
| SHA512 | 45eb6d5495840fc5a94e5bafc3ec6da3ddac7bdd32d247dd885eac30baddcf4c93ea2e43c0e108b23fc0c35127d1acc5c437ae27298913d6594ee2e0d6f3c710 |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | 1dd12b869979b5e1057106a2c8b48b9c |
| SHA1 | 053331e7fbce5ef505693e9baea9622302473755 |
| SHA256 | 5dfa0b5ca609f8d1e3f4846682fe233c39394703e7beba4cf7260200e93b39c8 |
| SHA512 | b869b78dca540465a2429851ce48572adf680f666b4d82bbaf3d7f784617d62b419c05d4f05962c8676842ca0ad61ad2968c25a73323240e1afa801732b2a17e |
memory/384-43-0x0000000004940000-0x0000000004B4C000-memory.dmp
memory/384-42-0x0000000004940000-0x0000000004B4C000-memory.dmp
memory/384-116-0x0000000000400000-0x0000000000616000-memory.dmp
memory/384-132-0x0000000004940000-0x0000000004B4C000-memory.dmp