Analysis
-
max time kernel
46s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 18:00
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240508-en
General
-
Target
Loader.exe
-
Size
16.8MB
-
MD5
0107075cd4f1ba34b951c895eacc1285
-
SHA1
f50404806a62dc04ab129397e30a9cb1d2dbc8db
-
SHA256
b6977ad0b0332d1466e0843ebef2decc3e2fcc01f8fc62da2d3f2e716a63dc81
-
SHA512
0ededb1af828e7fd85b3fa38f5f17ba21222c6e0da5a1f46f5328acd379aca9153d9dd5c9da904d1a834d2b5baac2e12017aaa023d93f5b3bf312f19e1540915
-
SSDEEP
393216:muBhAp43/nfPmZXtCshmXQ3KIpoOwkwbyco/76hikE1cpPFLc5:FspnJh13Zcm76+MPZE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
Loader.exedescription ioc process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Loader.exe -
Processes:
resource yara_rule behavioral2/memory/4120-0-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-2-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-3-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-4-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-5-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-9-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-11-0x0000000140000000-0x00000001425F1000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
Processes:
Loader.exedescription ioc process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 4120 Loader.exe -
Drops file in Windows directory 4 IoCs
Processes:
Loader.exedescription ioc process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1948 sc.exe 3048 sc.exe 4748 sc.exe 1000 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Loader.exepid process 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Loader.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4120 wrote to memory of 60 4120 Loader.exe cmd.exe PID 4120 wrote to memory of 60 4120 Loader.exe cmd.exe PID 60 wrote to memory of 4748 60 cmd.exe sc.exe PID 60 wrote to memory of 4748 60 cmd.exe sc.exe PID 4120 wrote to memory of 1944 4120 Loader.exe cmd.exe PID 4120 wrote to memory of 1944 4120 Loader.exe cmd.exe PID 1944 wrote to memory of 1000 1944 cmd.exe sc.exe PID 1944 wrote to memory of 1000 1944 cmd.exe sc.exe PID 4120 wrote to memory of 348 4120 Loader.exe cmd.exe PID 4120 wrote to memory of 348 4120 Loader.exe cmd.exe PID 348 wrote to memory of 1948 348 cmd.exe sc.exe PID 348 wrote to memory of 1948 348 cmd.exe sc.exe PID 4120 wrote to memory of 4132 4120 Loader.exe cmd.exe PID 4120 wrote to memory of 4132 4120 Loader.exe cmd.exe PID 4132 wrote to memory of 3048 4132 cmd.exe sc.exe PID 4132 wrote to memory of 3048 4132 cmd.exe sc.exe PID 4120 wrote to memory of 4024 4120 Loader.exe cmd.exe PID 4120 wrote to memory of 4024 4120 Loader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4120-1-0x00007FF965530000-0x00007FF965532000-memory.dmpFilesize
8KB
-
memory/4120-0-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/4120-2-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/4120-3-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/4120-4-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/4120-5-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/4120-9-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB
-
memory/4120-11-0x0000000140000000-0x00000001425F1000-memory.dmpFilesize
37.9MB