Analysis
-
max time kernel
223s -
max time network
247s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2023 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20221111-en
General
-
Target
Loader.exe
-
Size
1.6MB
-
MD5
a44e526804469076d712e8a05ddd7759
-
SHA1
7010fda540e70139020a7a79730e74e99bd8e6c9
-
SHA256
46d7128963bde013c8ec359b285e47eabbf9c88e332735e02ced518773e8e95f
-
SHA512
04c40ef00c80d641c4f7bced8aefc180d695ea23ef79e272167f1a567484be2ab7031ca55a246cbeba1ed0c0ed93223fc2a33daed7f2048c62f169f0e6325b36
-
SSDEEP
49152:fBvdZG5o8InNXL9Qn0HpZjI64n2hcyfT2:pFZG5oNnRfh9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Google\\Chrome.exe\"," Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3116 powershell.exe 3116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeLoader.exedescription pid process Token: SeDebugPrivilege 3116 powershell.exe Token: SeDebugPrivilege 4624 Loader.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Loader.exedescription pid process target process PID 4624 wrote to memory of 3116 4624 Loader.exe powershell.exe PID 4624 wrote to memory of 3116 4624 Loader.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3116-135-0x0000000000000000-mapping.dmp
-
memory/3116-136-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmpFilesize
10.8MB
-
memory/3116-138-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmpFilesize
10.8MB
-
memory/3116-139-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmpFilesize
10.8MB
-
memory/4624-132-0x000001B036520000-0x000001B0366C2000-memory.dmpFilesize
1.6MB
-
memory/4624-133-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmpFilesize
10.8MB
-
memory/4624-134-0x000001B036A40000-0x000001B036A62000-memory.dmpFilesize
136KB
-
memory/4624-137-0x00007FFF1DF40000-0x00007FFF1EA01000-memory.dmpFilesize
10.8MB