159376c3144f2abccd38d80c5cd69d18cd45232ae807b64292f213634f2087c1

Analysis

max time kernel
149s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07/05/2023, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loaderx.exe
Size

2.8MB
MD5

0ad824c9898657a25c9fc6d2239764d8
SHA1

491739333a928871bd1ec9c86f46116ad9ca1bdc
SHA256

159376c3144f2abccd38d80c5cd69d18cd45232ae807b64292f213634f2087c1
SHA512

8b0f2844eef456a3bf1a99aaa30f7670dfd2a9c94990f2a73695e10d4345f6a556f69b93b1873075bda6d8bc4f6f3d3a6d08f6c8ef8e51f3a185584bc4477a0e
SSDEEP

49152:hKQ9qcpXi6MSrzysY4bpzrLgAA8NRJFRgT/g:hKs

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1332 set thread context of 804	1332	loaderx.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1196	powershell.exe
1332	loaderx.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1332	loaderx.exe
Token: SeDebugPrivilege	804	InstallUtil.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1196	1332	loaderx.exe	28
PID 1332 wrote to memory of 1196	1332	loaderx.exe	28
PID 1332 wrote to memory of 1196	1332	loaderx.exe	28
PID 1332 wrote to memory of 804	1332	loaderx.exe	31
PID 1332 wrote to memory of 804	1332	loaderx.exe	31
PID 1332 wrote to memory of 804	1332	loaderx.exe	31
PID 1332 wrote to memory of 804	1332	loaderx.exe	31
PID 1332 wrote to memory of 804	1332	loaderx.exe	31
PID 1332 wrote to memory of 804	1332	loaderx.exe	31
PID 1332 wrote to memory of 804	1332	loaderx.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\loaderx.exe
"C:\Users\Admin\AppData\Local\Temp\loaderx.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1F66.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
memory/804-97-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-128-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-2439-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/804-2438-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/804-2416-0x0000000002300000-0x0000000002354000-memory.dmp

Filesize
336KB

Download
memory/804-2415-0x0000000002220000-0x000000000226C000-memory.dmp

Filesize
304KB

Download
memory/804-2414-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/804-2413-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/804-2412-0x0000000000950000-0x00000000009A6000-memory.dmp

Filesize
344KB

Download
memory/804-2411-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/804-138-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-136-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-134-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-74-0x0000000140000000-0x00000001400A0000-memory.dmp

Filesize
640KB

Download
memory/804-75-0x0000000140000000-0x00000001400A0000-memory.dmp

Filesize
640KB

Download
memory/804-77-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

Filesize
4KB

Download
memory/804-76-0x0000000140000000-0x00000001400A0000-memory.dmp

Filesize
640KB

Download
memory/804-78-0x0000000140000000-0x00000001400A0000-memory.dmp

Filesize
640KB

Download
memory/804-81-0x000000001B900000-0x000000001B9F6000-memory.dmp

Filesize
984KB

Download
memory/804-82-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-83-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-87-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-85-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-89-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-91-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-93-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-95-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-99-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-132-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-122-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-130-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-105-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-107-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-109-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-114-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-112-0x000000001BAA0000-0x000000001BB20000-memory.dmp

Filesize
512KB

Download
memory/804-111-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-120-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-118-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-116-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-101-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-124-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-126-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/804-103-0x000000001B900000-0x000000001B9F0000-memory.dmp

Filesize
960KB

Download
memory/1196-66-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-64-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1196-72-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-71-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-70-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-63-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/1196-67-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-68-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-69-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1196-65-0x0000000002590000-0x0000000002610000-memory.dmp

Filesize
512KB

Download
memory/1332-57-0x000000001BCC0000-0x000000001BD52000-memory.dmp

Filesize
584KB

Download
memory/1332-56-0x0000000002640000-0x00000000026E0000-memory.dmp

Filesize
640KB

Download
memory/1332-54-0x0000000000F70000-0x000000000123E000-memory.dmp

Filesize
2.8MB

Download
memory/1332-58-0x0000000002750000-0x00000000027D0000-memory.dmp

Filesize
512KB

Download
memory/1332-55-0x000000001B6D0000-0x000000001B850000-memory.dmp

Filesize
1.5MB

Download