c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583

General

Target

c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe
Size

4.4MB
MD5

9631809ff9e66cc5809e51e2929dfbe8
SHA1

4ee1085393d94978fc17b1453517f0aa7f40b8a3
SHA256

c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583
SHA512

3e350e41e7a86756438762c0a6772e5781757bb941e8c88c58238e1f19e15a3eb743301119050b30476d69bc68568a0bad1cdd4560f1ecac2cf4c0c72c9d77d1
SSDEEP

98304:k8sjkFhRWieWT0ywsagZ9VeXD3qJJXg2cMUGZWh:2jyhRPeWvnzwrivWh

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000139e6-5.dat	UPX
behavioral1/memory/3028-8-0x0000000002D00000-0x0000000002F23000-memory.dmp	UPX
behavioral1/memory/2508-10-0x0000000000400000-0x0000000000623000-memory.dmp	UPX
behavioral1/files/0x000c0000000139e6-9.dat	UPX
behavioral1/files/0x000c0000000139e6-11.dat	UPX
behavioral1/memory/2508-112-0x0000000000400000-0x0000000000623000-memory.dmp	UPX

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WindowsLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	WindowsLoader.exe

Executes dropped EXE 1 IoCs

pid	Process
2508	WindowsLoader.exe

Loads dropped DLL 2 IoCs

pid	Process
3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe
2976	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000139e6-5.dat	upx
behavioral1/memory/3028-8-0x0000000002D00000-0x0000000002F23000-memory.dmp	upx
behavioral1/memory/2508-10-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral1/files/0x000c0000000139e6-9.dat	upx
behavioral1/files/0x000c0000000139e6-11.dat	upx
behavioral1/memory/2508-112-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Win = "rundll32 shell32,ShellExec_RunDLL regsvr32 -s \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sfx.dll\""	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	WindowsLoader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2508	WindowsLoader.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	WindowsLoader.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2508	WindowsLoader.exe
Token: SeIncBasePriorityPrivilege	2508	WindowsLoader.exe
Token: 33	2508	WindowsLoader.exe
Token: SeIncBasePriorityPrivilege	2508	WindowsLoader.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	WindowsLoader.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2508	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	28
PID 3028 wrote to memory of 2508	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	28
PID 3028 wrote to memory of 2508	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	28
PID 3028 wrote to memory of 2508	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	28
PID 3028 wrote to memory of 2452	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	29
PID 3028 wrote to memory of 2452	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	29
PID 3028 wrote to memory of 2452	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	29
PID 3028 wrote to memory of 2452	3028	c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe	29
PID 2452 wrote to memory of 2976	2452	cmd.exe	30
PID 2452 wrote to memory of 2976	2452	cmd.exe	30
PID 2452 wrote to memory of 2976	2452	cmd.exe	30
PID 2452 wrote to memory of 2976	2452	cmd.exe	30
PID 2452 wrote to memory of 2976	2452	cmd.exe	30
PID 2452 wrote to memory of 2976	2452	cmd.exe	30
PID 2452 wrote to memory of 2976	2452	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe
"C:\Users\Admin\AppData\Local\Temp\c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
  C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32 -s "C:\Users\Admin\AppData\Local\Temp\sfx.dll"
    3⤵
    - Loads dropped DLL
    PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe

Filesize
373KB

MD5
51c59808d21974658408eacc8c595584

SHA1
353ded2f4b12669c93fd0c732825c6647a81ff04

SHA256
3c6f00036f34d90564ba297d097fbaa9371204ee5ebf808f862023a1fbb2a80c

SHA512
e27f3296adbd842af3323f73611f65cfd70b9f9c55fe004e5b695cb09d9fd22b39fc58035cd3d4c28d50ec93852dec4c4b4c44aadd1ec235998827595bee9356

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsLoader.exe

Filesize
655KB

MD5
493be3615913e115c24176d61dd0017c

SHA1
56ac7d951e2ac26de5777181a826ac173dfc4479

SHA256
9c3a3a9a2c4fd0e8445426b7ae8f563bdadfb2c0cdff5784a63e4f584ce413da

SHA512
0e5e05ca82f8771ed4d99da83b8823bc9f5f1b1ac1018056c5e434a0912f063c62918e5c5dd25441b1d418d291ede44b9301b2be164a1b2b0be2d4e1fe03e81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.dll

Filesize
229KB

MD5
2679654602fb90e3b162351473ce993c

SHA1
3868a8108631dc0387e12dd640f7d52f5c13783f

SHA256
013eb67309ae250c9171c942dd6f6f68571efec7b379fe8a53355147c0a947ae

SHA512
65d595abdbd49869879ac26fe2508b29a61f3a9e2230fee55169125342792b334b767ba7ca707bfebaf9ff72d5768c69d9fd9fb4f577b5fc9f83121a73898d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.dll

Filesize
1.2MB

MD5
1d758b01a084074c7a045b8c47c08182

SHA1
5828805398251f7ac8574ca5eb21d935caab4c04

SHA256
7586d5218f50714e8833b0ff3a831d7c970d8a050b3cb24f63b0ce538187fc43

SHA512
d72a00da3869bc948b12d1c76ab8d9985daac5284a9d51014c3a1b17172a6a2f2490e40ec97a0adb4d2577191a142863ad6f112a2e3809319996598d5758751b

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsLoader.exe

Filesize
651KB

MD5
022f444424c756bbc560158d3c4b68a8

SHA1
a4f85097918f97ea0a142e41b608310f65f01ca2

SHA256
23de383d0686fed9dfdadabb29172f34ff68d928fe641d8b2121ebe71978db67

SHA512
940074a38e22953e3fcd31e3b4e85e9b4b0cd131c44935e1321a51d957d309d89fbdf9f55b4ff0df9cd9d81d5410878a1172424202c2636770dcc0d3ffb8e06a

Download Submit
\Users\Admin\AppData\Local\Temp\sfx.dll

Filesize
1.5MB

MD5
eeb7ccb8bc6f41fd75cfaa5e970313df

SHA1
6390a83a02f771bf7f9f85337b9fdc46f096b3df

SHA256
1f0faafdd6463c132c39c1a87646e846f23e0db4d919cf495d5b424289248018

SHA512
f6a520e2f3cd6e9f556403a89a1645b447143b7825e77b4ac7bd96a5eb74750760e48cbbb92cd3a41b2232e42edf2fb62f585cfdb19f9d0e912e150c1d56f63f

Download Submit
memory/2508-48-0x00000000008B0000-0x00000000008C1000-memory.dmp

Filesize
68KB

Download
memory/2508-10-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2508-14-0x00000000026C0000-0x0000000002863000-memory.dmp

Filesize
1.6MB

Download
memory/2508-32-0x00000000006B0000-0x00000000006C2000-memory.dmp

Filesize
72KB

Download
memory/2508-12-0x0000000000630000-0x0000000000643000-memory.dmp

Filesize
76KB

Download
memory/2508-64-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/2508-72-0x00000000008E0000-0x0000000000900000-memory.dmp

Filesize
128KB

Download
memory/2508-21-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2508-112-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2508-56-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2508-40-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2976-83-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2976-82-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2976-86-0x00000000027B0000-0x00000000028DE000-memory.dmp

Filesize
1.2MB

Download
memory/3028-8-0x0000000002D00000-0x0000000002F23000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads