Overview

overview

8

Static

static

3

loader.exe

windows7-x64

1

loader.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    19s
  • max time network
    24s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2023 17:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    432KB

  • MD5

    413a3d49f4adb3884681f6d4d105db8b

  • SHA1

    61d2c8399aa4e617e304ed2a0c05c9c7a7238a26

  • SHA256

    010c52ec93079261ddc217aaf07a9d68c99b0db18b20d3c13da14c0a678cfa0c

  • SHA512

    3593b9ebfcf993b843dd30b0ff6ba2d93ec99788956e5b698a85a0c5eaa4da55cfe6ed263f94d5c106f0bd67e72a76d2f6bf4ec436d95f13673f2443d4b3260e

  • SSDEEP

    6144:LlwK7bLc8s+Pd5fNUay9mcmP8fv6LvycJ3nN2MNg7QnB8Ntf01dP74:BrPny2POk3nWoB8Nq1q

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3624
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM csgo.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM csgo.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3256
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c taskkill /F /IM steam.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM steam.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\perimede\perimede.dll
    Filesize

    1.4MB

    MD5

    98bec6e4199a60f89061be742dab069d

    SHA1

    56a047909eaf30a441865c2e2d5cf86a4b437c26

    SHA256

    74c931ee8a2e96b4ca8c48dab25e084bf29069eae66be182bd5f4243f5418f63

    SHA512

    f763f765f5d303792554c4b0ef96fedb93200d486a82fdc25ea5e6f9d74fcec5de397613fc64ea1cc4d5c8db6811db26b3f64ef5cbc3c568f68cc6c8f048f8c8

    Download Submit

  • C:\Users\Admin\AppData\Roaming\perimede\perimede.dll
    Filesize

    1.4MB

    MD5

    98bec6e4199a60f89061be742dab069d

    SHA1

    56a047909eaf30a441865c2e2d5cf86a4b437c26

    SHA256

    74c931ee8a2e96b4ca8c48dab25e084bf29069eae66be182bd5f4243f5418f63

    SHA512

    f763f765f5d303792554c4b0ef96fedb93200d486a82fdc25ea5e6f9d74fcec5de397613fc64ea1cc4d5c8db6811db26b3f64ef5cbc3c568f68cc6c8f048f8c8

    Download Submit