Analysis
-
max time kernel
50s -
max time network
23s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
21-05-2024 21:56
General
-
Target
ldr_37Q9.exe
-
Size
22.8MB
-
MD5
f775faca16d1b2838c5791143b8922df
-
SHA1
458cda4c1ac20baef0b78e1e825db67208375cb4
-
SHA256
7e2d0dde21a16920961db184e4b6e8a7c9632ab648bb64c0121d995181f385cf
-
SHA512
15743e0d941684897c4703b1738aeb6cdb8e25f9a1cd529d82828f85d9efb37a111581d25db27464c89ad1bb99e043dea143448614077c306b0b98ae1fa77bae
-
SSDEEP
393216:MUfnewiuTWW//yUcTCCnfk5M60cr0zCLRUJhmeA71q983HgROYx5OJ5b:MGnFlWW/u1nMn0cr0zI1qy3HgROHJt
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 2 IoCs
-
Themida packer 16 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 13 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ldr_37Q9.exe"C:\Users\Admin\AppData\Local\Temp\ldr_37Q9.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\ldr_37q9.exec:\users\admin\appdata\local\temp\ldr_37q9.exe2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ldr_PjOE.exe"ldr_PjOE.exe" "c:\users\admin\appdata\local\temp\ldr_37q9.exe "3⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
10KB
MD5df46eb1fe5d54a0521d9965203a4a9da
SHA1e977aae1bb82f3d57267ead3b91df3d82d6d50c6
SHA2566076a9ea8f52f5ad109fbe29f955ee052f626b22ee45366bfa83f70706744b1d
SHA5125bc5f8d247ba164f1af6f4ae902906568a4e9baf05c9782d999e537730d8cfe443daac6f44aa246f27e9678237a4b57a7e8411e3c4fbe88e943525cdb2ae239e
-
C:\Users\Admin\AppData\Local\Temp\ldr_37q9.exeFilesize
20.3MB
MD5b0caecdef6da0e989fc5d545af92c8f2
SHA1ad155c304a90781bdeaa4e82298a81602a469b86
SHA25698a47a2151c6e3dc9a0d44aacf2681c022d2edb032a76c2a427ee41d99b44651
SHA512535f59e26acfaf011baf8cb2462bb2e7156c9be6c4b9c8fe3074474158821047ac0135443e3c03b5a883c76f369402e27f2e643d7b44137a4553ad9128318794
-
C:\Users\Admin\AppData\Local\Temp\ldr_PjOE.exeFilesize
19.0MB
MD5fd540d5d8315371f3e9a2012fe748f27
SHA19d5315512258da692709581ef4341eccdce21308
SHA2568329f1f5752c277742bd5ac8307a33e7963e167e7eda61e47210c264ab78c24f
SHA512fbb807273b1aa3db4c168b344d9c9899bac6859ab2e68f388367118e6b5e977cba045ffaba91e9288215ca04ce6a9b3dacc2fd41a2ad5edc2de3e78de72463c7
-
C:\Windows\Resources\Themes\explorer.exeFilesize
2.5MB
MD5d4c793412dd24ff5cf0c33106929aefd
SHA1d3d76e235dd976c0ac6563a52998431adff8f959
SHA25613396a49857ffac0f9855e952eab9ef7091eea604222d78a78bab66b55265189
SHA512eca15629d7e1a04f3516471788a6264fdf5b8245fdb121f6a1424c88d75bce4b965aa5331404c85741a500741febe7ef0a46e04b753562971ff9952ad2be2b6b
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
2.5MB
MD5b523ef40a4446533e23e153d02f873cb
SHA1c1612e4a89791ad234d6de39cdb5db8df7167801
SHA2567916937369a7266aa46a0a58258320a6764be18b745f08ab4356b8974abe63b9
SHA5121941af9170687229b38a98c4a1cab9096a3b9409b027bca3e67a7cd158bde5dc2099f1c945fa1882ff1a1edb6ac50f49fbc61020334f7d2f4982734c6829435b
-
C:\Windows\Resources\spoolsv.exeFilesize
2.5MB
MD5c92ec2b7c18e66be75cfb1d6f624de80
SHA146d8a6219b09f52b5e24461143860ed4e51990d5
SHA25626d230d5ecfbcf5d04cf46725002958c662682240c63bf45762ff5b189ad12fa
SHA512825c8b391b1f2e5a535b8245f7f74feabf600f42efd0ffdae2da2d77c96dfbb2cd9df1ebb9c661ff2c17084770b8d959bc6b19361c75b50bc05f0634975767da
-
C:\Windows\Resources\svchost.exeFilesize
2.5MB
MD56477082b716cdd2b2f18bbd680625fac
SHA10c574851ac441999daf8e54be5fd5af5962c67bd
SHA2564a78f129a94ef9260afaf1fdc5fe8aab235a6acd0141e6fb7ff44672f68d450f
SHA5129785e5f5402a9c7ef8136d992dcb7b5963e71a2cf280dd1cbba7c26dd848e7ddce4f80df52c8d6722c807972bd705e7548eef9ad2dda05168be0709da1741d63
-
memory/1448-56-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1448-0-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/1448-1-0x00000000773F6000-0x00000000773F8000-memory.dmpFilesize
8KB
-
memory/1740-58-0x00007FF62DB40000-0x00007FF62FE0E000-memory.dmpFilesize
34.8MB
-
memory/1740-62-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmpFilesize
64KB
-
memory/1740-71-0x00007FF62DB40000-0x00007FF62FE0E000-memory.dmpFilesize
34.8MB
-
memory/1740-57-0x00007FF81DE50000-0x00007FF81DE52000-memory.dmpFilesize
8KB
-
memory/3200-76-0x00007FF632B30000-0x00007FF634BF2000-memory.dmpFilesize
32.8MB
-
memory/3200-75-0x00007FF81DE50000-0x00007FF81DE52000-memory.dmpFilesize
8KB
-
memory/3200-80-0x00007FF7DDCD0000-0x00007FF7DDCE0000-memory.dmpFilesize
64KB
-
memory/3200-84-0x00007FF632B30000-0x00007FF634BF2000-memory.dmpFilesize
32.8MB
-
memory/3200-97-0x00007FF632B30000-0x00007FF634BF2000-memory.dmpFilesize
32.8MB
-
memory/3688-12-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/3688-54-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4316-67-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4316-40-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-50-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4916-45-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4984-52-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/4984-31-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5024-22-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB
-
memory/5024-66-0x0000000000400000-0x0000000000A0E000-memory.dmpFilesize
6.1MB