Overview
overview
10Static
static
1GitHubLoad...er.exe
windows10-2004-x64
10GitHubLoad...ET.dll
windows10-2004-x64
1GitHubLoad...re.dll
windows10-2004-x64
1GitHubLoad...rk.dll
windows10-2004-x64
1GitHubLoad...ib.dll
windows10-2004-x64
1GitHubLoad...ml.dll
windows10-2004-x64
1GitHubLoad...ms.dll
windows10-2004-x64
1GitHubLoad...64.dll
windows10-2004-x64
1Analysis
-
max time kernel
54s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2024 21:56
Static task
static1
Behavioral task
behavioral1
Sample
GitHubLoadTool/GitHubLoader.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
GitHubLoadTool/Microsoft.Windows.SDK.NET.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
GitHubLoadTool/PresentationCore.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
GitHubLoadTool/PresentationFramework.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
GitHubLoadTool/System.Private.CoreLib.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
GitHubLoadTool/System.Private.Xml.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
GitHubLoadTool/System.Windows.Forms.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral8
Sample
GitHubLoadTool/grpc_csharp_ext.x64.dll
Resource
win10v2004-20240226-en
General
-
Target
GitHubLoadTool/GitHubLoader.exe
-
Size
432KB
-
MD5
9a25ab8bdaa157c47a64fc2b0a1e443a
-
SHA1
c96cc57a7bfeaf3415005965974ad721ffebdbbe
-
SHA256
14123370ea7689a1be3d067a5a53c96c47aaf2573714a08b65a25369a7523517
-
SHA512
010a8f22d17a7b17afc70c9ed12ca9a532108e99d1f3fb0dc59a0339473395aaf87781d83a14aff4bce751d4b2417f1d0edf16b6afe186ff9c325100058fed41
-
SSDEEP
12288:yh1Fk70Tnvjc2VlQeYvNdJ5rIHrtrwM/22w:8k70Trc2V96NdcHrtm5
Malware Config
Extracted
lumma
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
GitHubLoader.exedescription pid process target process PID 1976 set thread context of 2068 1976 GitHubLoader.exe RegAsm.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
taskmgr.exepid process 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 1056 taskmgr.exe Token: SeSystemProfilePrivilege 1056 taskmgr.exe Token: SeCreateGlobalPrivilege 1056 taskmgr.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
taskmgr.exepid process 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe -
Suspicious use of SendNotifyMessage 54 IoCs
Processes:
taskmgr.exepid process 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe 1056 taskmgr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
GitHubLoader.exedescription pid process target process PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe PID 1976 wrote to memory of 2068 1976 GitHubLoader.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GitHubLoadTool\GitHubLoader.exe"C:\Users\Admin\AppData\Local\Temp\GitHubLoadTool\GitHubLoader.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:2068
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1056