Analysis
-
max time kernel
29s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
25-03-2023 21:23
Behavioral task
behavioral1
Sample
Loader_.exe
Resource
win7-20230220-en
General
-
Target
Loader_.exe
-
Size
8.8MB
-
MD5
f5b49bd5b215416c31650c1bf1047e33
-
SHA1
3e8468db67c3b41eeab8017018670ae57afe702d
-
SHA256
ea25a8909d0bd9438586d97aa8919fc90ad8cef0043ea13fec603c780e0427e1
-
SHA512
2a9c5682794eb761a7a7b8d78db8a2dc39b94b2a0779f3ed250101deecfca9ef27257bf1d9a7de2aff13abba995da2fc95a623481e23cb631449434fcce558a2
-
SSDEEP
196608:3lViYdgxP1MTFmMUwMqhmrOGSF2yCVbXyqsz5p5:3riYexPQUwMqhmrlS0pynz5p5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader_.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader_.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader_.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader_.exe -
Loads dropped DLL 2 IoCs
Processes:
Loader_.exepid process 1060 Loader_.exe 1060 Loader_.exe -
Processes:
resource yara_rule behavioral1/memory/1060-54-0x000000013F980000-0x0000000141190000-memory.dmp themida behavioral1/memory/1060-59-0x000000013F980000-0x0000000141190000-memory.dmp themida behavioral1/memory/1060-60-0x000000013F980000-0x0000000141190000-memory.dmp themida behavioral1/memory/1060-61-0x000000013F980000-0x0000000141190000-memory.dmp themida behavioral1/memory/1060-66-0x000000013F980000-0x0000000141190000-memory.dmp themida -
Processes:
Loader_.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader_.exepid process 1060 Loader_.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader_.exe"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\d3d11.dllFilesize
2.4MB
MD5b284ae0d37cc7d47fc149bf93ef6a5bf
SHA13952b84377b0a1d267daae711ee47581749cb2a3
SHA2560d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b
SHA512b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33
-
\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dllFilesize
4.1MB
MD5222d020bd33c90170a8296adc1b7036a
SHA1612e6f443d927330b9b8ac13cc4a2a6b959cee48
SHA2564432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
SHA512ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
-
memory/1060-54-0x000000013F980000-0x0000000141190000-memory.dmpFilesize
24.1MB
-
memory/1060-59-0x000000013F980000-0x0000000141190000-memory.dmpFilesize
24.1MB
-
memory/1060-60-0x000000013F980000-0x0000000141190000-memory.dmpFilesize
24.1MB
-
memory/1060-61-0x000000013F980000-0x0000000141190000-memory.dmpFilesize
24.1MB
-
memory/1060-66-0x000000013F980000-0x0000000141190000-memory.dmpFilesize
24.1MB