Overview

overview

10

Static

static

10

Loader.exe

windows10-1703-x64

7

Resubmissions

02-04-2023 01:46

230402-b7efyaea46 10

02-04-2023 01:25

230402-bs432sfc2z 10

Analysis

  • max time kernel
    76s
  • max time network
    70s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-04-2023 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    27KB

  • MD5

    a765b141758f0ec10521afa80e041f68

  • SHA1

    9417433c49c7ff3a5cba76d46b5e551203e8afbe

  • SHA256

    096fb9885d983bd9d2190ce312517caa75fcbfd44236fca51d6e23609240086d

  • SHA512

    9519a9d63b175392119f5553ff6d9cd76d8d145fc0070e252225a429a6238d89a7e6190548376a85eb162af6d4d0e376740ee05f2244cc760ffe0d045d8d86d8

  • SSDEEP

    384:eLw6lnw3m4Afp1UDMoC2PDdVlMVAQk93vmhm7UMKmIEecKdbXTzm9bVhcaCh6frZ:IwyBPqqVA/vMHTi9bDC

Score
7/10
ransomware

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Drops startup file
    • Enumerates connected drives
    • Sets desktop wallpaper using registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Local\Temp\tmp1349.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp1349.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3736
    • C:\Windows\SysWOW64\Shutdown.exe
      Shutdown -l
      2⤵
        PID:4152
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x3d8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3612
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0 /state0:0xa3ad9055 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:4328

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Defacement

    1
    T1491

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1349.tmp.exe
      Filesize

      24KB

      MD5

      10e89ee9c92c4d0060aee0481c7d3ba6

      SHA1

      9514b295a97bebbb3321f9a790ef3c4c99fb5881

      SHA256

      6805d47786d5fdb951ded12d78bbbb113433cfe289f423366d0cc3e51399ce8c

      SHA512

      3f7c86b2beeae6291a6237c0372bf48b2938c2c416461173e7114830d15abd88e730b7d8f41c8656ce6b94034a9fa33b2d32b0d9f52fc3af970b4a3a4b8a4d89

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp1349.tmp.exe
      Filesize

      24KB

      MD5

      10e89ee9c92c4d0060aee0481c7d3ba6

      SHA1

      9514b295a97bebbb3321f9a790ef3c4c99fb5881

      SHA256

      6805d47786d5fdb951ded12d78bbbb113433cfe289f423366d0cc3e51399ce8c

      SHA512

      3f7c86b2beeae6291a6237c0372bf48b2938c2c416461173e7114830d15abd88e730b7d8f41c8656ce6b94034a9fa33b2d32b0d9f52fc3af970b4a3a4b8a4d89

      Download Submit
    • memory/1008-119-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1008-122-0x0000000000AB0000-0x0000000000AC0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3736-131-0x0000000002710000-0x0000000002720000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3736-132-0x0000000002710000-0x0000000002720000-memory.dmp
      Filesize

      64KB

      Download