Overview

overview

8

Static

static

7

Windows Lo...2..exe

windows7-x64

Analysis

  • max time kernel
    58s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    22/04/2023, 23:28

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Windows Loader 2.2.2..exe

  • Size

    3.8MB

  • MD5

    323c0fd51071400b51eedb1be90a8188

  • SHA1

    0efc35935957c25193bbe9a83ab6caa25a487ada

  • SHA256

    2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

  • SHA512

    4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

  • SSDEEP

    49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt

Score
8/10
discoveryexploitupx

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
    exploit
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows Loader 2.2.2..exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Loader 2.2.2..exe"
    1⤵
    • Checks BIOS information in registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\ldrscan\bootwin
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • Suspicious use of AdjustPrivilegeToken
          PID:1068
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1764
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c takeown /f C:\ldrscan\bootwin
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f C:\ldrscan\bootwin
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          PID:1416
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\SysWOW64\icacls.exe
        icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:1388
    • C:\Windows\system32\cmd.exe
      cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\System32\cscript.exe
        C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
        3⤵
          PID:1640
      • C:\Windows\system32\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1288
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
          3⤵
            PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /A /C "compact /u \\?\Volume{b3ac5a43-b1b4-11ed-a5ad-806e6f6e6963}\LMFTS"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1724
          • C:\Windows\SysWOW64\compact.exe
            compact /u \\?\Volume{b3ac5a43-b1b4-11ed-a5ad-806e6f6e6963}\LMFTS
            3⤵
              PID:1512
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
            2⤵
              PID:1732
              • C:\bootsect.exe
                C:\bootsect.exe /nt60 SYS /force
                3⤵
                • Executes dropped EXE
                PID:316
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /A /C "shutdown -r -t 0"
              2⤵
                PID:1784
                • C:\Windows\SysWOW64\shutdown.exe
                  shutdown -r -t 0
                  3⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1352
            • C:\Windows\system32\LogonUI.exe
              "LogonUI.exe" /flags:0x0
              1⤵
                PID:1624
              • C:\Windows\system32\AUDIODG.EXE
                C:\Windows\system32\AUDIODG.EXE 0x47c
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:672
              • C:\Windows\system32\LogonUI.exe
                "LogonUI.exe" /flags:0x1
                1⤵
                  PID:700

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Acer.XRM-MS
                  Filesize

                  2KB

                  MD5

                  f25832af6a684360950dbb15589de34a

                  SHA1

                  17ff1d21005c1695ae3dcbdc3435017c895fff5d

                  SHA256

                  266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

                  SHA512

                  e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

                  Download Submit

                • C:\bootsect.exe
                  Filesize

                  95KB

                  MD5

                  a062e202e6101250f485fc679e2aef82

                  SHA1

                  9c18280712e8012d590b63dc90e42b88d6971c9b

                  SHA256

                  32edfecff169c82107f520f6b2a6b56d14f714ef22be7aef9676082e89a5525e

                  SHA512

                  d02e9a8708b0e4a99b623cc3525105ecd48ef79e7f9bfac6d34cadd38c31ff9bf2485f1d84f33f5e9057bf0c3603b86bab6003ee876f865e2f5ca04ddb394379

                  Download Submit

                • C:\bootsect.exe
                  Filesize

                  95KB

                  MD5

                  a062e202e6101250f485fc679e2aef82

                  SHA1

                  9c18280712e8012d590b63dc90e42b88d6971c9b

                  SHA256

                  32edfecff169c82107f520f6b2a6b56d14f714ef22be7aef9676082e89a5525e

                  SHA512

                  d02e9a8708b0e4a99b623cc3525105ecd48ef79e7f9bfac6d34cadd38c31ff9bf2485f1d84f33f5e9057bf0c3603b86bab6003ee876f865e2f5ca04ddb394379

                  Download Submit

                • \??\Volume{b3ac5a43-b1b4-11ed-a5ad-806e6f6e6963}\LMFTS
                  Filesize

                  301KB

                  MD5

                  65d2cb2335caef8fcd8b2e250b395fb7

                  SHA1

                  211cd0c5b6aabe003111d0abfe112b896808286b

                  SHA256

                  a9cb332b98f76372b56e9bb96de6011a7cad57cb6dfec1f585b1ba53ee9984ab

                  SHA512

                  810867c04783ff9a37c858385357160feb2e9803ff01f5d221174c6e8c81a3e2da266b27b2c87959c237861aba48f0565510a34575da636fcb8c07ff8ca5c237

                  Download Submit

                • memory/700-141-0x00000000026E0000-0x00000000026E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1532-91-0x00000000006A0000-0x00000000006B0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1532-120-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1532-107-0x00000000006C0000-0x00000000006E0000-memory.dmp

                  Filesize

                  128KB

                  Download

                • memory/1532-116-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1532-117-0x00000000020F0000-0x0000000002293000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/1532-118-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1532-119-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1532-99-0x00000000006B0000-0x00000000006C0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1532-125-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1532-54-0x0000000000630000-0x0000000000643000-memory.dmp

                  Filesize

                  76KB

                  Download

                • memory/1532-83-0x0000000000680000-0x0000000000691000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1532-75-0x0000000010000000-0x0000000010021000-memory.dmp

                  Filesize

                  132KB

                  Download

                • memory/1532-67-0x0000000000660000-0x0000000000672000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/1532-139-0x0000000000400000-0x0000000000623000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/1532-62-0x0000000000650000-0x0000000000660000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1624-140-0x0000000002840000-0x0000000002841000-memory.dmp

                  Filesize

                  4KB

                  Download