Analysis Overview
SHA256
99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b
Threat Level: Known bad
The file 99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Renames multiple (434) files with added filename extension
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (200) files with added filename extension
Checks BIOS information in registry
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-27 20:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-27 20:00
Reported
2024-12-27 20:03
Platform
win7-20240903-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Renames multiple (200) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "Outlook Network Neighborhood Management Module" | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe
"C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe"
Network
Files
memory/2600-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2600-1-0x0000000003000000-0x000000000320C000-memory.dmp
memory/2600-8-0x0000000003000000-0x000000000320C000-memory.dmp
memory/2600-11-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2600-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2600-13-0x0000000003000000-0x000000000320C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-2872745919-2748461613-2989606286-1000\desktop.ini.tmp
| MD5 | 81674b97ba84862a9cde9163e8b03051 |
| SHA1 | 19719ef014addd9952f13c88cbe2677f14505176 |
| SHA256 | 529207cab010f65dee2c7d6d721e07a684e6b3cdf7adfaa18f34b20e69326f9d |
| SHA512 | fb8d1f325921ad365bb5ae5a03dca5c05973706b10536379318025e5b0834ba6e24ffb20c6d5a068ce68e15f1983c9db8fc248e2dd87ee49b0faa8ccda75453a |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp
| MD5 | d0bb9270649d118b5e142879bc49d6cd |
| SHA1 | 3dce6293f1ba03c972c8dd82ead973574e84f4f3 |
| SHA256 | 6f2597f04024e573a91ddab3c4ba1d5de32d820ff92ba9a734f0c9058c03a42d |
| SHA512 | ad3cd9f9cce29f0b20254ac2033f7c294a80cd7636ed32e52ba6065ce2b00ae1ae0a352925ce7d1dca7ff725cf9f77e019e584a68803f9045a41da8f7d0c86ac |
memory/2600-25-0x0000000003000000-0x000000000320C000-memory.dmp
memory/2600-26-0x0000000003000000-0x000000000320C000-memory.dmp
memory/2600-39-0x0000000000400000-0x0000000000616000-memory.dmp
memory/2600-43-0x0000000003000000-0x000000000320C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-27 20:00
Reported
2024-12-27 20:03
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Banload
Banload family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Renames multiple (434) files with added filename extension
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Drops file in Program Files directory
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\provsvc.dll" | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2} | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5ADD62E2-4A23-86F4-8704-0C62BF6886E2}\ = "HomeGroup Network" | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe
"C:\Users\Admin\AppData\Local\Temp\99720d4692de6ffc03f6f71713accf903387729e685dfd091d92c6e8605c485b.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
memory/3388-0-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3388-2-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/3388-9-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/3388-12-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3388-13-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3388-14-0x0000000004960000-0x0000000004B6C000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-3756129449-3121373848-4276368241-1000\desktop.ini.tmp
| MD5 | a3e94ff5e7a2ac18619f0b6b58f487a2 |
| SHA1 | b3c6894b8b5e56c344edf90923fbb8a18c52ed28 |
| SHA256 | 134d781b9cd5e6afb8dd72b80718bc90b6f657334d9aa475d31415b465cdff76 |
| SHA512 | 326c6eaaa37570d4c855b64f19905846f9889ee3b4168796d5c32ee6cba94c4e1b12b098c02b8b46a029415ca4bdcffa79dc6c9815bcb7038a05fa4f1be1e71f |
C:\Program Files\7-Zip\7-zip.dll.tmp
| MD5 | b6afd7c629ee81e895a4d7718561bed5 |
| SHA1 | e521724e959b2e4f80fa85f6915fdeae92d0f31c |
| SHA256 | 7b6dc4ae4e08709e87b0bda9435d4bc47075bfe161b63d2fdec9cda5140c7674 |
| SHA512 | d76926301c871d3d7c9ba51ec6472223055afb75eb671f0bef5439e2552953e06969e688ab2119b94ea30ee3d5abdd3135c51ea9971369fdc54dd1743139bd36 |
memory/3388-37-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/3388-36-0x0000000004960000-0x0000000004B6C000-memory.dmp
memory/3388-96-0x0000000000400000-0x0000000000616000-memory.dmp
memory/3388-108-0x0000000004960000-0x0000000004B6C000-memory.dmp