Analysis
-
max time kernel
64s -
max time network
54s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-07-2021 10:42
Static task
static1
Behavioral task
behavioral1
Sample
Windows Loader.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Windows Loader.exe
Resource
win10v20210408
Errors
General
-
Target
Windows Loader.exe
-
Size
3.8MB
-
MD5
323c0fd51071400b51eedb1be90a8188
-
SHA1
0efc35935957c25193bbe9a83ab6caa25a487ada
-
SHA256
2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
-
SHA512
4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
bootsect.exepid process 1440 bootsect.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1504 icacls.exe 1016 takeown.exe 1696 icacls.exe 1676 takeown.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Windows Loader.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1676 takeown.exe 1504 icacls.exe 1016 takeown.exe 1696 icacls.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Windows Loader.exedescription ioc process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Windows Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Windows Loader.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Loader.exepid process 1912 Windows Loader.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
Windows Loader.exetakeown.exetakeown.exeshutdown.exeAUDIODG.EXEdescription pid process Token: 33 1912 Windows Loader.exe Token: SeIncBasePriorityPrivilege 1912 Windows Loader.exe Token: 33 1912 Windows Loader.exe Token: SeIncBasePriorityPrivilege 1912 Windows Loader.exe Token: SeTakeOwnershipPrivilege 1676 takeown.exe Token: SeTakeOwnershipPrivilege 1016 takeown.exe Token: SeShutdownPrivilege 2016 shutdown.exe Token: SeRemoteShutdownPrivilege 2016 shutdown.exe Token: 33 1248 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1248 AUDIODG.EXE Token: 33 1248 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1248 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Windows Loader.exepid process 1912 Windows Loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Windows Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1912 wrote to memory of 1484 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1484 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1484 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1484 1912 Windows Loader.exe cmd.exe PID 1484 wrote to memory of 1852 1484 cmd.exe cmd.exe PID 1484 wrote to memory of 1852 1484 cmd.exe cmd.exe PID 1484 wrote to memory of 1852 1484 cmd.exe cmd.exe PID 1484 wrote to memory of 1852 1484 cmd.exe cmd.exe PID 1852 wrote to memory of 1676 1852 cmd.exe takeown.exe PID 1852 wrote to memory of 1676 1852 cmd.exe takeown.exe PID 1852 wrote to memory of 1676 1852 cmd.exe takeown.exe PID 1852 wrote to memory of 1676 1852 cmd.exe takeown.exe PID 1912 wrote to memory of 1004 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1004 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1004 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1004 1912 Windows Loader.exe cmd.exe PID 1004 wrote to memory of 1504 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1504 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1504 1004 cmd.exe icacls.exe PID 1004 wrote to memory of 1504 1004 cmd.exe icacls.exe PID 1912 wrote to memory of 668 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 668 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 668 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 668 1912 Windows Loader.exe cmd.exe PID 668 wrote to memory of 1560 668 cmd.exe cmd.exe PID 668 wrote to memory of 1560 668 cmd.exe cmd.exe PID 668 wrote to memory of 1560 668 cmd.exe cmd.exe PID 668 wrote to memory of 1560 668 cmd.exe cmd.exe PID 1560 wrote to memory of 1016 1560 cmd.exe takeown.exe PID 1560 wrote to memory of 1016 1560 cmd.exe takeown.exe PID 1560 wrote to memory of 1016 1560 cmd.exe takeown.exe PID 1560 wrote to memory of 1016 1560 cmd.exe takeown.exe PID 1912 wrote to memory of 1868 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1868 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1868 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1868 1912 Windows Loader.exe cmd.exe PID 1868 wrote to memory of 1696 1868 cmd.exe icacls.exe PID 1868 wrote to memory of 1696 1868 cmd.exe icacls.exe PID 1868 wrote to memory of 1696 1868 cmd.exe icacls.exe PID 1868 wrote to memory of 1696 1868 cmd.exe icacls.exe PID 1912 wrote to memory of 1688 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1688 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1688 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1688 1912 Windows Loader.exe cmd.exe PID 1688 wrote to memory of 944 1688 cmd.exe cscript.exe PID 1688 wrote to memory of 944 1688 cmd.exe cscript.exe PID 1688 wrote to memory of 944 1688 cmd.exe cscript.exe PID 1912 wrote to memory of 1108 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1108 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1108 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1108 1912 Windows Loader.exe cmd.exe PID 1108 wrote to memory of 1536 1108 cmd.exe cscript.exe PID 1108 wrote to memory of 1536 1108 cmd.exe cscript.exe PID 1108 wrote to memory of 1536 1108 cmd.exe cscript.exe PID 1912 wrote to memory of 276 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 276 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 276 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 276 1912 Windows Loader.exe cmd.exe PID 276 wrote to memory of 1092 276 cmd.exe compact.exe PID 276 wrote to memory of 1092 276 cmd.exe compact.exe PID 276 wrote to memory of 1092 276 cmd.exe compact.exe PID 276 wrote to memory of 1092 276 cmd.exe compact.exe PID 1912 wrote to memory of 1836 1912 Windows Loader.exe cmd.exe PID 1912 wrote to memory of 1836 1912 Windows Loader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"3⤵
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk YKHFT-KW986-GK4PY-FDWYH-7TP9F"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk YKHFT-KW986-GK4PY-FDWYH-7TP9F3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\CZWFV"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\CZWFV3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"2⤵
-
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "shutdown -r -t 0"2⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5701⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Acer.XRM-MSMD5
f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
C:\bootsect.exeMD5
1f7512b88ad5bd506b6ef9b8ac9aad4d
SHA11bf442e8c3a5365597a4a910e972e655c6eea04b
SHA256f2b942bef619631a9e84936644fae83fc5f22e86cdc2ff892c138c63458a36ec
SHA512689252299fb170e8a246c1b163c1ad134a79a6905d7d103e7027d29abfe42a0017c0b1f74eb6e81dcb019ead4e98c87067025fc6aaa2668bc1d944454aadc4d1
-
C:\bootsect.exeMD5
1f7512b88ad5bd506b6ef9b8ac9aad4d
SHA11bf442e8c3a5365597a4a910e972e655c6eea04b
SHA256f2b942bef619631a9e84936644fae83fc5f22e86cdc2ff892c138c63458a36ec
SHA512689252299fb170e8a246c1b163c1ad134a79a6905d7d103e7027d29abfe42a0017c0b1f74eb6e81dcb019ead4e98c87067025fc6aaa2668bc1d944454aadc4d1
-
\??\Volume{efb60be3-9a04-11eb-be03-806e6f6e6963}\CZWFVMD5
e06104bdd9c4634b3bba29d9e418d8cb
SHA18d4e75c994bb59dec54341b52ad4cd876ad3e0d1
SHA256a0953e46aab858b1690ff3ef6d66b09d06ca760b79fdfcfb2339311a6ffe0b61
SHA512c5d3269934555107c417fd9c9e1b5d684c66902eadeac7d5861eaf1114fa5550b875dd8a9c30dfde0f8122d3dd30aae6f32b726bb49be96b404eb7633eb02cbe
-
memory/276-76-0x0000000000000000-mapping.dmp
-
memory/668-66-0x0000000000000000-mapping.dmp
-
memory/944-72-0x0000000000000000-mapping.dmp
-
memory/1004-64-0x0000000000000000-mapping.dmp
-
memory/1016-68-0x0000000000000000-mapping.dmp
-
memory/1016-90-0x0000000002760000-0x0000000002761000-memory.dmpFilesize
4KB
-
memory/1092-77-0x0000000000000000-mapping.dmp
-
memory/1108-74-0x0000000000000000-mapping.dmp
-
memory/1440-82-0x0000000000000000-mapping.dmp
-
memory/1440-84-0x0000000001000000-0x000000000101B000-memory.dmpFilesize
108KB
-
memory/1484-61-0x0000000000000000-mapping.dmp
-
memory/1504-65-0x0000000000000000-mapping.dmp
-
memory/1536-75-0x0000000000000000-mapping.dmp
-
memory/1560-67-0x0000000000000000-mapping.dmp
-
memory/1676-63-0x0000000000000000-mapping.dmp
-
memory/1688-71-0x0000000000000000-mapping.dmp
-
memory/1696-70-0x0000000000000000-mapping.dmp
-
memory/1696-85-0x0000000000000000-mapping.dmp
-
memory/1700-87-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/1700-88-0x0000000002880000-0x0000000002881000-memory.dmpFilesize
4KB
-
memory/1836-80-0x0000000000000000-mapping.dmp
-
memory/1852-62-0x0000000000000000-mapping.dmp
-
memory/1868-69-0x0000000000000000-mapping.dmp
-
memory/1912-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB
-
memory/1912-60-0x0000000002080000-0x0000000002223000-memory.dmpFilesize
1.6MB
-
memory/2016-86-0x0000000000000000-mapping.dmp