Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 18:00
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240508-en
General
-
Target
Loader.exe
-
Size
16.8MB
-
MD5
0107075cd4f1ba34b951c895eacc1285
-
SHA1
f50404806a62dc04ab129397e30a9cb1d2dbc8db
-
SHA256
b6977ad0b0332d1466e0843ebef2decc3e2fcc01f8fc62da2d3f2e716a63dc81
-
SHA512
0ededb1af828e7fd85b3fa38f5f17ba21222c6e0da5a1f46f5328acd379aca9153d9dd5c9da904d1a834d2b5baac2e12017aaa023d93f5b3bf312f19e1540915
-
SSDEEP
393216:muBhAp43/nfPmZXtCshmXQ3KIpoOwkwbyco/76hikE1cpPFLc5:FspnJh13Zcm76+MPZE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
Loader.exedescription ioc process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Processes:
resource yara_rule behavioral1/memory/2352-0-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-2-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-5-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-4-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-3-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral1/memory/2352-11-0x0000000140000000-0x00000001425F1000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
Processes:
Loader.exedescription ioc process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 2352 Loader.exe -
Drops file in Windows directory 4 IoCs
Processes:
Loader.exedescription ioc process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2860 sc.exe 2108 sc.exe 2736 sc.exe 2548 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
Loader.exepid process 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe 2352 Loader.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
Loader.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2352 wrote to memory of 2380 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2380 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2380 2352 Loader.exe cmd.exe PID 2380 wrote to memory of 2860 2380 cmd.exe sc.exe PID 2380 wrote to memory of 2860 2380 cmd.exe sc.exe PID 2380 wrote to memory of 2860 2380 cmd.exe sc.exe PID 2352 wrote to memory of 2116 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2116 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2116 2352 Loader.exe cmd.exe PID 2116 wrote to memory of 2108 2116 cmd.exe sc.exe PID 2116 wrote to memory of 2108 2116 cmd.exe sc.exe PID 2116 wrote to memory of 2108 2116 cmd.exe sc.exe PID 2352 wrote to memory of 1996 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 1996 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 1996 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2696 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2696 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2696 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2724 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2724 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2724 2352 Loader.exe cmd.exe PID 2696 wrote to memory of 2736 2696 cmd.exe sc.exe PID 2696 wrote to memory of 2736 2696 cmd.exe sc.exe PID 2696 wrote to memory of 2736 2696 cmd.exe sc.exe PID 2352 wrote to memory of 2560 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2560 2352 Loader.exe cmd.exe PID 2352 wrote to memory of 2560 2352 Loader.exe cmd.exe PID 2560 wrote to memory of 2440 2560 cmd.exe certutil.exe PID 2560 wrote to memory of 2440 2560 cmd.exe certutil.exe PID 2560 wrote to memory of 2440 2560 cmd.exe certutil.exe PID 2560 wrote to memory of 2156 2560 cmd.exe find.exe PID 2560 wrote to memory of 2156 2560 cmd.exe find.exe PID 2560 wrote to memory of 2156 2560 cmd.exe find.exe PID 2560 wrote to memory of 2872 2560 cmd.exe find.exe PID 2560 wrote to memory of 2872 2560 cmd.exe find.exe PID 2560 wrote to memory of 2872 2560 cmd.exe find.exe PID 2724 wrote to memory of 2548 2724 cmd.exe sc.exe PID 2724 wrote to memory of 2548 2724 cmd.exe sc.exe PID 2724 wrote to memory of 2548 2724 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2352-1-0x0000000077C10000-0x0000000077C12000-memory.dmpFilesize
8KB
-
memory/2352-0-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/2352-2-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/2352-5-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/2352-4-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/2352-3-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/2352-11-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB