Analysis
-
max time kernel
17s -
max time network
19s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
24-03-2023 15:34
Behavioral task
behavioral1
Sample
Panda_Ultimate Old Loader.exe
Resource
win10v2004-20230220-en
General
-
Target
Panda_Ultimate Old Loader.exe
-
Size
5.2MB
-
MD5
d66851b2f21c45925bc18377682c84b5
-
SHA1
3e9bbfed894dae98afcb174c4c8d941a3c40d2f5
-
SHA256
7b0bb42b025ae170b58ce04b91aa481f040454f7fca5697088d999847afd50fe
-
SHA512
527fe8b25ee9184de0c14e733ddfabed0bea4ea77d7fc91ecb7aa53d0aa1abe017c79428734aa47fd44de29cdb916a14e3c56fc0d77e64b4bd0ceba71da499b3
-
SSDEEP
98304:/Tjm6RjDdpleuGdTbBzuYr5X7BqYakFtrkV8yEkO6NzOlZ6i0/q:/Tj/R3N9kJ/7Bq668wNzUoi
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Loader.exepid process 3920 Loader.exe -
Loads dropped DLL 1 IoCs
Processes:
Loader.exepid process 3920 Loader.exe -
Processes:
resource yara_rule behavioral1/memory/1688-134-0x00007FF766340000-0x00007FF766BF7000-memory.dmp vmprotect C:\Windows\Fonts\Loader.exe vmprotect C:\Windows\Fonts\Loader.exe vmprotect C:\Windows\Fonts\Loader.exe vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Windows directory 2 IoCs
Processes:
Panda_Ultimate Old Loader.exedescription ioc process File created C:\Windows\Fonts\Loader.exe Panda_Ultimate Old Loader.exe File created C:\Windows\Fonts\SecureEngineSDK64.dll Panda_Ultimate Old Loader.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Panda_Ultimate Old Loader.exepid process 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe 1688 Panda_Ultimate Old Loader.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Panda_Ultimate Old Loader.execmd.execmd.exedescription pid process target process PID 1688 wrote to memory of 1352 1688 Panda_Ultimate Old Loader.exe cmd.exe PID 1688 wrote to memory of 1352 1688 Panda_Ultimate Old Loader.exe cmd.exe PID 1688 wrote to memory of 1816 1688 Panda_Ultimate Old Loader.exe cmd.exe PID 1688 wrote to memory of 1816 1688 Panda_Ultimate Old Loader.exe cmd.exe PID 1816 wrote to memory of 228 1816 cmd.exe mode.com PID 1816 wrote to memory of 228 1816 cmd.exe mode.com PID 1688 wrote to memory of 2616 1688 Panda_Ultimate Old Loader.exe cmd.exe PID 1688 wrote to memory of 2616 1688 Panda_Ultimate Old Loader.exe cmd.exe PID 2616 wrote to memory of 3920 2616 cmd.exe Loader.exe PID 2616 wrote to memory of 3920 2616 cmd.exe Loader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Panda_Ultimate Old Loader.exe"C:\Users\Admin\AppData\Local\Temp\Panda_Ultimate Old Loader.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Color F2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c MODE Con Cols=66 lines=82⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.comMODE Con Cols=66 lines=83⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Windows\Fonts\Loader.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Fonts\Loader.exeC:\Windows\Fonts\Loader.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\Loader.exeFilesize
6.0MB
MD55e5984142cfd45e1d69026e5d14d55eb
SHA1fcdcbb250971a1310797ada41e68fab0790628f1
SHA2567f78bf8b886bb308c617fd58b2947ac59bb2f25d36b244bda009eaf4716f42a5
SHA512999b353bf71ce4a67cb0da37fb6d0c91f7f25c91711c0459483887289578c79395094b01bfd6d8cdc5432279d88350d841e7c95e96f13e303050d2a1a5099d1e
-
C:\Windows\Fonts\Loader.exeFilesize
6.0MB
MD55e5984142cfd45e1d69026e5d14d55eb
SHA1fcdcbb250971a1310797ada41e68fab0790628f1
SHA2567f78bf8b886bb308c617fd58b2947ac59bb2f25d36b244bda009eaf4716f42a5
SHA512999b353bf71ce4a67cb0da37fb6d0c91f7f25c91711c0459483887289578c79395094b01bfd6d8cdc5432279d88350d841e7c95e96f13e303050d2a1a5099d1e
-
C:\Windows\Fonts\Loader.exeFilesize
6.0MB
MD55e5984142cfd45e1d69026e5d14d55eb
SHA1fcdcbb250971a1310797ada41e68fab0790628f1
SHA2567f78bf8b886bb308c617fd58b2947ac59bb2f25d36b244bda009eaf4716f42a5
SHA512999b353bf71ce4a67cb0da37fb6d0c91f7f25c91711c0459483887289578c79395094b01bfd6d8cdc5432279d88350d841e7c95e96f13e303050d2a1a5099d1e
-
C:\Windows\Fonts\SecureEngineSDK64.dllFilesize
40KB
MD5cda1931d728b0ca296f43bafb23c8b2d
SHA1e083aa84b495b8929604e5b9088757c5a708e275
SHA256ff88838d35688400fd65651c5ab0fb5358af6d4eb785fb7c7d4bdedece1ad8b4
SHA512c7248a895e04789da3d711e4327856964aa252417aa3a918f2f98cd3a695722c9bb73b91351bae795c9eae6ff3dc911baf53ad374733092709ef4929a21a970d
-
C:\Windows\Fonts\SecureEngineSDK64.dllFilesize
40KB
MD5cda1931d728b0ca296f43bafb23c8b2d
SHA1e083aa84b495b8929604e5b9088757c5a708e275
SHA256ff88838d35688400fd65651c5ab0fb5358af6d4eb785fb7c7d4bdedece1ad8b4
SHA512c7248a895e04789da3d711e4327856964aa252417aa3a918f2f98cd3a695722c9bb73b91351bae795c9eae6ff3dc911baf53ad374733092709ef4929a21a970d
-
memory/1688-133-0x00007FF882F10000-0x00007FF882F12000-memory.dmpFilesize
8KB
-
memory/1688-134-0x00007FF766340000-0x00007FF766BF7000-memory.dmpFilesize
8.7MB