Analysis Overview
SHA256
4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91
Threat Level: Known bad
The file 4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Downloads MZ/PE file
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-11 05:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-11 05:53
Reported
2025-02-11 05:58
Platform
win7-20241010-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Banload
Banload family
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C} | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ = "TokenActivation Class" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\InprocServer32\ThreadingModel = "Free" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\TypeLib\ = "{B0C2A63F-AFF8-40E3-B42D-8A542DC909EC}" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\VersionIndependentProgID\ = "SppComApi.TokenActivation" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\AppID = "{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B}" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\InprocServer32\ = "%SystemRoot%\\system32\\sppcomapi.dll" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ProgID | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ProgID\ = "SppComApi.TokenActivation.1" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe
"C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe"
Network
Files
memory/3032-0-0x00000000023B0000-0x000000000259A000-memory.dmp
memory/3032-7-0x00000000023B0000-0x000000000259A000-memory.dmp
memory/3032-12-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/3032-13-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/3032-14-0x00000000023B0000-0x000000000259A000-memory.dmp
memory/3032-16-0x00000000004B0000-0x00000000004B1000-memory.dmp
memory/3032-17-0x00000000023B0000-0x000000000259A000-memory.dmp
memory/3032-19-0x0000000140000000-0x00000001402C8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-11 05:53
Reported
2025-02-11 05:56
Platform
win10v2004-20250207-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Banload
Banload family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\InprocServer32\ThreadingModel = "both" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\Version | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\LocalServer32\ = "%SystemRoot%\\system32\\plasrv.exe" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\VersionIndependentProgID\ = "PLA.SystemDataCollectorSet" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ = "ServerDataCollectorSet" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ProgID | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\TypeLib\ = "{03837500-098B-11D8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\InprocServer32\ = "%SystemRoot%\\System32\\pla.dll" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\ProgID\ = "PLA.SystemDataCollectorSet.1" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C} | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\AppID = "{03837503-098b-11d8-9414-505054503030}" | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843C246E-107F-4C30-57C1-D5603BC7D37C}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe
"C:\Users\Admin\AppData\Local\Temp\4d5179d5481f3643e17397e6c08bbf5c9f491a0bf980b1272db4c334cdb80e91.exe"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEUwREFBQzMtRDJCNC00RjcwLUFCMzktRTA4RkEyNjk2QjgzfSIgdXNlcmlkPSJ7MTA3Q0VBQkItQjBCQi00RjhFLUFGRUItNTY5MTMxMDRCRTI3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzIzRkI3RUYtQjM1My00MUY2LTk5NzItMkFBQzBCRjZGMkE1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzI2NTExNDI2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| US | 199.232.210.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/3428-1-0x0000000002750000-0x000000000293A000-memory.dmp
memory/3428-7-0x0000000002750000-0x000000000293A000-memory.dmp
memory/3428-12-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/3428-14-0x0000000002750000-0x000000000293A000-memory.dmp
memory/3428-13-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/3428-16-0x0000000002110000-0x0000000002111000-memory.dmp
memory/3428-17-0x0000000002750000-0x000000000293A000-memory.dmp
memory/3428-19-0x0000000140000000-0x00000001402C8000-memory.dmp