Analysis Overview
SHA256
c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1
Threat Level: Known bad
The file c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1 was found to be: Known bad.
Malicious Activity Summary
Banload
Banload family
Checks BIOS information in registry
Event Triggered Execution: Component Object Model Hijacking
Unsigned PE
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-25 17:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-25 17:01
Reported
2025-02-25 17:04
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Banload
Banload family
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0} | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\ = "MsCtfMonitor task handler" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InprocServer32\ = "%SystemRoot%\\system32\\MsCtfMonitor.dll" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe
"C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe"
Network
Files
memory/2692-0-0x0000000002410000-0x00000000025FA000-memory.dmp
memory/2692-7-0x0000000002410000-0x00000000025FA000-memory.dmp
memory/2692-12-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/2692-16-0x0000000001D40000-0x0000000001D41000-memory.dmp
memory/2692-14-0x0000000002410000-0x00000000025FA000-memory.dmp
memory/2692-13-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/2692-17-0x0000000002410000-0x00000000025FA000-memory.dmp
memory/2692-19-0x0000000140000000-0x00000001402C8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-25 17:01
Reported
2025-02-25 17:04
Platform
win10v2004-20250217-en
Max time kernel
111s
Max time network
147s
Command Line
Signatures
Banload
Banload family
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0} | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\ = "MsCtfMonitor task handler" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InprocServer32\ = "%SystemRoot%\\system32\\MsCtfMonitor.dll" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD032C9B-8F11-E980-1181-CF9942277AA0}\InprocServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe
"C:\Users\Admin\AppData\Local\Temp\c4bdbd7738a494010351a8bafd2e1444f50dccb1f2eacf2d1e5bae38b514b8c1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/540-0-0x0000000002690000-0x000000000287A000-memory.dmp
memory/540-7-0x0000000002690000-0x000000000287A000-memory.dmp
memory/540-12-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/540-14-0x0000000002690000-0x000000000287A000-memory.dmp
memory/540-13-0x0000000140000000-0x00000001402C8000-memory.dmp
memory/540-16-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/540-17-0x0000000002690000-0x000000000287A000-memory.dmp
memory/540-19-0x0000000140000000-0x00000001402C8000-memory.dmp