569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d

Analysis

max time kernel
15s
max time network
24s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
13/11/2023, 17:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

21.2MB
MD5

641724e3d8211104be31438b62dc7d15
SHA1

114e784ccc74babf9590583bff1e1e83e8929bb4
SHA256

569542c9e1cc03c6e2482db365581e60c94f6fae7e130059ecd6fd4e1501ac2d
SHA512

5fc3562e2b0483f9c6ca6b16586d9f15b585b692f98c7547f3ce087114e9c8bb35e7a2d54e0e788489573ebf405650104c8ebf377baddc3cbacc8321916eeb2f
SSDEEP

393216:FBKR69QxEl93SQh6mn7tG+vp2jbKmMQL8NGm10C9REV6f01Serw2ngtTV:LKIsGj6CRGu23MBGm9wXzngT

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
604	Loader.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4656	sc.exe
2420	sc.exe
308	sc.exe
3832	sc.exe
5112	sc.exe
796	sc.exe
220	sc.exe
1000	sc.exe
4812	sc.exe
2004	sc.exe
3052	sc.exe
1032	sc.exe
1960	sc.exe
4984	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 10 IoCs

evasion

pid	Process
4040	taskkill.exe
4284	taskkill.exe
3588	taskkill.exe
3500	taskkill.exe
3584	taskkill.exe
3504	taskkill.exe
1284	taskkill.exe
3640	taskkill.exe
304	taskkill.exe
4608	taskkill.exe

Runs net.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 3512	604	Loader.exe	72
PID 604 wrote to memory of 3512	604	Loader.exe	72
PID 604 wrote to memory of 1676	604	Loader.exe	74
PID 604 wrote to memory of 1676	604	Loader.exe	74

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:3512
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:4232
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:4024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:1676
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:4116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:4560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:2320
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:2824
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:4656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:520
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:4984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:1248
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:4812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:4472
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:5112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:2404
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4524
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:2560
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:4136
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:4932
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3584
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop FACEIT >nul 2>&1
  2⤵
  PID:5032
- - C:\Windows\system32\net.exe
    net stop FACEIT
    3⤵
    PID:1692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop FACEIT
      4⤵
      PID:4152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C net stop ESEADriver2 >nul 2>&1
  2⤵
  PID:4380
- - C:\Windows\system32\net.exe
    net stop ESEADriver2
    3⤵
    PID:4784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop ESEADriver2
      4⤵
      PID:5004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:5036
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker3 >nul 2>&1
  2⤵
  PID:4792
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker3
    3⤵
    - Launches sc.exe
    PID:796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker2 >nul 2>&1
  2⤵
  PID:1680
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker2
    3⤵
    - Launches sc.exe
    PID:220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop KProcessHacker1 >nul 2>&1
  2⤵
  PID:428
- - C:\Windows\system32\sc.exe
    sc stop KProcessHacker1
    3⤵
    - Launches sc.exe
    PID:1032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop wireshark >nul 2>&1
  2⤵
  PID:4820
- - C:\Windows\system32\sc.exe
    sc stop wireshark
    3⤵
    - Launches sc.exe
    PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  PID:4928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - Kills process with taskkill
    PID:1284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc stop npf >nul 2>&1
  2⤵
  PID:4004
- - C:\Windows\system32\sc.exe
    sc stop npf
    3⤵
    - Launches sc.exe
    PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  PID:1340
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - Kills process with taskkill
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
  2⤵
  PID:3068
- - C:\Windows\system32\sc.exe
    sc stop HTTPDebuggerPro
    3⤵
    - Launches sc.exe
    PID:308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
  2⤵
  PID:2636
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
  2⤵
  PID:1384
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:4284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
  2⤵
  PID:3676
- - C:\Windows\system32\taskkill.exe
    taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
    3⤵
    - Kills process with taskkill
    PID:3588

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:3500

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
1⤵
- Kills process with taskkill
PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/604-0-0x00007FFFC63B0000-0x00007FFFC658B000-memory.dmp

Filesize
1.9MB

Download
memory/604-2-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-3-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-4-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-5-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-6-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-7-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-8-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download
memory/604-9-0x00007FF6F2860000-0x00007FF6F617A000-memory.dmp

Filesize
57.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads