752e7d326d94fefa12869bee8c54bfb197d193f151d72f936457a27bbd6b6877

Analysis

max time kernel
223s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2023 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

1.6MB
MD5

a44e526804469076d712e8a05ddd7759
SHA1

7010fda540e70139020a7a79730e74e99bd8e6c9
SHA256

46d7128963bde013c8ec359b285e47eabbf9c88e332735e02ced518773e8e95f
SHA512

04c40ef00c80d641c4f7bced8aefc180d695ea23ef79e272167f1a567484be2ab7031ca55a246cbeba1ed0c0ed93223fc2a33daed7f2048c62f169f0e6325b36
SSDEEP

49152:fBvdZG5o8InNXL9Qn0HpZjI64n2hcyfT2:pFZG5oNnRfh9

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Loader.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\Chrome.exe\","	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3116 powershell.exe
3116 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exeLoader.exe

description pid process

Token: SeDebugPrivilege 3116 powershell.exe
Token: SeDebugPrivilege 4624 Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	Loader.exe

pid	process
3116	powershell.exe
3116	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	4624	Loader.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Loader.exe

description	pid	process	target process
PID 4624 wrote to memory of 3116	4624	Loader.exe	powershell.exe
PID 4624 wrote to memory of 3116	4624	Loader.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3116-135-0x0000000000000000-mapping.dmp

Download
memory/3116-136-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmp

Filesize
10.8MB

Download
memory/3116-138-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmp

Filesize
10.8MB

Download
memory/3116-139-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmp

Filesize
10.8MB

Download
memory/4624-132-0x000001B036520000-0x000001B0366C2000-memory.dmp

Filesize
1.6MB

Download
memory/4624-133-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmp

Filesize
10.8MB

Download
memory/4624-134-0x000001B036A40000-0x000001B036A62000-memory.dmp

Filesize
136KB

Download
memory/4624-137-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmp

Filesize
10.8MB

Download