Analysis Overview
SHA256
c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1
Threat Level: Known bad
The file c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-25 16:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-25 16:53
Reported
2025-02-25 16:55
Platform
win7-20241023-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Banload
Banload family
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\ = "Virtual Factory for DiagCpl" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\LocalizedString = "@%SystemRoot%\\System32\\DiagCpl.dll,-1" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\Elevation | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\Elevation\Enabled = "1" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InProcServer32\ = "%SystemRoot%\\System32\\shpafact.dll" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\VirtualServerObjects | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0} | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\AppId = "{12C21EA7-2EB8-4B55-9249-AC243DA8C666}" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\Elevation\IconReference = "@%Systemroot%\\System32\\DiagCpl.dll,-1" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\VirtualServerObjects\{d0b7e02c-e1a3-11dc-81ff-001185ae5e76} | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe
"C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe"
Network
Files
memory/2604-7-0x0000000002430000-0x000000000261A000-memory.dmp
memory/2604-0-0x0000000002430000-0x000000000261A000-memory.dmp
memory/2604-13-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/2604-14-0x0000000002430000-0x000000000261A000-memory.dmp
memory/2604-16-0x0000000001D50000-0x0000000001D51000-memory.dmp
memory/2604-12-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/2604-17-0x0000000002430000-0x000000000261A000-memory.dmp
memory/2604-19-0x0000000140000000-0x00000001402C8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-25 16:53
Reported
2025-02-25 16:55
Platform
win10v2004-20250217-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Banload
Banload family
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\LocalServer32\ServerExecutable = "%SystemRoot%\\System32\\rundll32.exe" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\TypeLib | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\VersionIndependentProgID\ = "Microsoft.PhotoAcqHWEventHandler" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\ = "PhotoAcqHWEventHandler" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\LocalServer32\ = "\"%SystemRoot%\\System32\\rundll32.exe\" \"%ProgramFiles%\\Windows Photo Viewer\\PhotoAcq.dll\",AutoplayComServerW {00f2b433-44e4-4d88-b2b0-2698a0a91dba}" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\ProgID | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\ProgID\ = "Microsoft.PhotoAcqHWEventHandler.1" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\Version | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0} | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\AppID = "{00f2b433-44e4-4d88-b2b0-2698a0a91dba}" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe
"C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
Files
memory/448-7-0x0000000002700000-0x00000000028EA000-memory.dmp
memory/448-0-0x0000000002700000-0x00000000028EA000-memory.dmp
memory/448-12-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/448-13-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/448-14-0x0000000002700000-0x00000000028EA000-memory.dmp
memory/448-16-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/448-17-0x0000000002700000-0x00000000028EA000-memory.dmp
memory/448-19-0x0000000140000000-0x00000001402C8000-memory.dmp