Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
04/06/2023, 13:03
General
-
Target
loader.exe
-
Size
9.2MB
-
MD5
1a2909a1b777484531a1871f22629143
-
SHA1
e2f792d90fd3fce5f48a916d45013ebcc58071b9
-
SHA256
07ea7f5fe652166f661cab9f6339b8dbe8c3d43944a75dea8a944d8c0d5118ae
-
SHA512
72e471fb93a3ee8d6529d67849ff4eb8197d89ff3f5327d0b240a97f87d45a0f554dc114cb81f8d0a994594d4b153a27b69cb788fd874fd58d51f8e16983d529
-
SSDEEP
196608:Q6ayQyLW3tOhirKqtFqgle+mMONDERm3qujPB827ea7YCR9PQqG:QXyQLOhiWife+mlwsnC2as9dG
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion loader.exe -
resource yara_rule behavioral1/memory/4268-116-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-117-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-118-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-119-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-120-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-121-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-122-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-123-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-124-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-125-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-126-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-127-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-128-0x0000000000090000-0x0000000001766000-memory.dmp themida behavioral1/memory/4268-129-0x0000000000090000-0x0000000001766000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4268 loader.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4008 4268 WerFault.exe 65 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4268 loader.exe 4268 loader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4268 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 11002⤵
- Program crash
PID:4008
-