c664614d5d1e59781979ae6798e22bfc58806bf69f53733c0c5a442a5ece569d

Analysis

max time kernel
91s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2023 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LoaderVIP.exe
Size

16KB
MD5

6f5421bf85609014b9d02dfdd8d3bb63
SHA1

9badca86c2b8c820f9550175dc9057aeaf806dc9
SHA256

c664614d5d1e59781979ae6798e22bfc58806bf69f53733c0c5a442a5ece569d
SHA512

8284007e621155b58dcebdcf5327585f5cb4c78b7da63eae075f3e2d5f462cd3ad8549f2728d921690015358dcdf6fa3a8008966794b7daa265de81e19d5286e
SSDEEP

384:3n79UVHt9Qtl/Tehau23G6c6YcN09t6cDE33DhSHkON/GlfgOb5:3WptYQhaN39W4JiE33VSEONulfgO

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4568	Token.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LoaderVIP.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AF\Token.exe	LoaderVIP.exe
File opened for modification	C:\Windows\AF\Token.mentah	LoaderVIP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4312	4204	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4568	Token.exe
4568	Token.exe
4568	Token.exe
4568	Token.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4568	4972	LoaderVIP.exe	83
PID 4972 wrote to memory of 4568	4972	LoaderVIP.exe	83
PID 4972 wrote to memory of 4568	4972	LoaderVIP.exe	83

C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe
"C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\AF\Token.exe
  "C:\Windows\AF\Token.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 476 -p 4204 -ip 4204
1⤵
PID:1524

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4204 -s 1776
1⤵
- Program crash
PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\AF\Token.exe

Filesize
31KB

MD5
7ff593be08ec2166028b0c2e9140d427

SHA1
5801cf0792e979b0d42534f894bd5986800a9306

SHA256
30e3fd4808544b1c250e3b126c1c4fa10b11a31bde563f9526751ef640544ced

SHA512
b5376b6b0709ee2ebc0c4a5d6da33050c8e0b7e61da983860f1df3d58870ca8f2c0a3c56de46ef8b8c05187765e6840edc4ae7275a0e957dfca68103d00fe0e9

Download Submit
C:\Windows\AF\Token.exe

Filesize
31KB

MD5
7ff593be08ec2166028b0c2e9140d427

SHA1
5801cf0792e979b0d42534f894bd5986800a9306

SHA256
30e3fd4808544b1c250e3b126c1c4fa10b11a31bde563f9526751ef640544ced

SHA512
b5376b6b0709ee2ebc0c4a5d6da33050c8e0b7e61da983860f1df3d58870ca8f2c0a3c56de46ef8b8c05187765e6840edc4ae7275a0e957dfca68103d00fe0e9

Download Submit