banload | 76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0

Analysis

max time kernel
60s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Size

3.6MB
MD5

6a8f40126e9defe064e8dec277ab2bff
SHA1

3cad375260b6ee85e14749d224a19cd58ec9e023
SHA256

76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0
SHA512

f35767813b1510bfb88c1a5f49a909e79e4cf801c47b19ea961a35c50fd33212a68573f522deb21aa86d511f2b3267d9c34445fa211f8c4bcc8b2f508661ca3d
SSDEEP

49152:RVvn8Q5CHCtE4jPTTm4uBLq9gtMyMpy7nEvV47RIgoVjIymPh7TTY9K:RF8QUitE4iLqaPWGnEvK7R9TD

Score

10^/10

banload discovery downloader dropper evasion ransomware trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\be.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\mng.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\et.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\th.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\tabskb.dll.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\kab.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\lij.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\sa.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\en.ttt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\ta.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrfrash.dat.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InkObj.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert.xml.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui.xml.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\fa.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\fy.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\rtscom.dll.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\ro.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\7z.exe.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\7zFM.exe.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\descript.ion.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\History.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\si.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\yo.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\mk.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\va.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\readme.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\co.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
File created	C:\Program Files\7-Zip\Lang\nn.txt.tmp	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version\ = "1.2"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile\ = "Biff8"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultExtension	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1\ = "&Open,0,2"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2\ = "1,1,1,1"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject\ = "16"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}\	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0\ = "&Edit,0,2"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0\ = "3,1,32,1"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3\ = "NotesDocInfo,1,1,1"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Implemented Categories	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main\ = "Biff8,ExcelWorksheet,ExcelML12,Biff12"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\0	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Version	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Microsoft Excel 97-2003 Worksheet"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3\ = "Microsoft Excel 2003"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable\Main	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler\ = "{98de59a0-d175-11cd-a7bd-00006b827d94}"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Verb\1	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\DefaultFile	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DocObject	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\3	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\PersistentHandler	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID\ = "Excel.Sheet.8"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\Readable	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\2	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable\Main	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable\Main\ = "Biff8,ExcelML12,Biff12"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\1\ = "2,1,16,1"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32\ = "ole32.dll"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\3	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\0	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\EXCEL.EXE\""	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\XLICONS.EXE,1"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Excel.WorksheetClass"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\MiscStatus\ = "0"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DefaultIcon	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocHandler32	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\Class = "Microsoft.Office.Interop.Excel.WorksheetClass"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable\	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ProgID	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\TypeLib\ = "{00020813-0000-0000-C000-000000000046}"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4\ = "NoteshNote,-1,1,1"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\RuntimeVersion = "v2.0.50727"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Insertable	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\AuxUserType\2\ = "Worksheet"	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\Conversion\ReadWritable	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats\GetSet\4	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\DataFormats	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4944	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
Token: SeIncBasePriorityPrivilege	4944	76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe

C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe
"C:\Users\Admin\AppData\Local\Temp\76d73b8e49c999dd262e45a1e2c88ef429da9d4bd98fc7f83f477da0bd6f24d0.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2045521122-590294423-3465680274-1000\desktop.ini.tmp

Filesize
3.7MB

MD5
14434684a038d535255983fbe492633c

SHA1
865a23a899532df5a49b1271e36230fee44dc2b1

SHA256
40184a56ff08027232718fe023ceb79dc4453ebfbcc67baea696e10dac492e12

SHA512
dd17d243682f7e69a3f26331b6b0812d2cb5d345b952d18944a99089663fa81b6d2788c3662f3ade8bb5a3647a509055a716b612109df6adf2f07477398127bf

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
3.8MB

MD5
9c1ada100328fece670e68960792fdbe

SHA1
802921df10b189e5822373d801d5267879ff050b

SHA256
fdda11f6df565074496f5b12bfd71a277e892a25cca0c9475a938460da6023c9

SHA512
320fda7111b392395976e79410a62605179b0b477a440f584cce0a872460904ee8b40152f52ec98fdde49a561bb1b3d1271d89e996b25eeb7a3b9d90b00231ac

Download Submit
memory/4944-0-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4944-2-0x00000000043F0000-0x00000000045FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-9-0x00000000043F0000-0x00000000045FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-12-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4944-13-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4944-14-0x00000000043F0000-0x00000000045FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-38-0x00000000043F0000-0x00000000045FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-39-0x00000000043F0000-0x00000000045FC000-memory.dmp

Filesize
2.0MB

Download
memory/4944-108-0x0000000000400000-0x0000000000616000-memory.dmp

Filesize
2.1MB

Download
memory/4944-121-0x00000000043F0000-0x00000000045FC000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads