Overview

overview

10

Static

static

7

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    54s
  • max time network
    47s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 05:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    3.4MB

  • MD5

    31718a8cc11d08a8d32292ce022b67e0

  • SHA1

    6714f288d498562f8dbb8e3a2e9ee3d20d71c658

  • SHA256

    66c3dd691e89e216bae7b3dd20598b80469bd868267183eb21acab5a563a4ea9

  • SHA512

    477651c024c4bb3f364cc1fff28382fb5b33ac76d1c138e31846ce3afcd602d40014ab622bbf6418a69075311d76aed52c72fee90bbedbdf15b85859e75329a2

  • SSDEEP

    49152:MxmvumkQ9lY9sgUXdTPSxdQ8KX75IyuWuCjcCqWOyxNL9bzjEj+O93+xr:Mxx9NUFkQx753uWuCyyxXOru9

Score
10/10
evasionexecutionpersistencethemidatrojan

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks BIOS information in registry 2 TTPs 12 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Themida packer 17 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 28 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5084
    • \??\c:\users\admin\appdata\local\temp\loader.exe 
      c:\users\admin\appdata\local\temp\loader.exe 
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3208
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c Color 4
        3⤵
          PID:1196
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3688
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3284
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3424
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4260
          • C:\Windows\system32\taskkill.exe
            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:992
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Windows\system32\sc.exe
            sc stop HTTPDebuggerPro
            4⤵
            • Launches sc.exe
            PID:1148
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3216
          • C:\Windows\system32\taskkill.exe
            taskkill /IM HTTPDebuggerSvc.exe /F
            4⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:3804
        • C:\Windows\SYSTEM32\cmd.exe
          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
          3⤵
            PID:2420
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\loader.exe " MD5
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3896
            • C:\Windows\system32\certutil.exe
              certutil -hashfile "c:\users\admin\appdata\local\temp\loader.exe " MD5
              4⤵
                PID:2160
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2264
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1572
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:5092
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1508
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1220
              • C:\Windows\system32\taskkill.exe
                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1456
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3184
              • C:\Windows\system32\sc.exe
                sc stop HTTPDebuggerPro
                4⤵
                • Launches sc.exe
                PID:1280
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4920
              • C:\Windows\system32\taskkill.exe
                taskkill /IM HTTPDebuggerSvc.exe /F
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2024
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
              3⤵
                PID:1424
              • C:\Windows\SYSTEM32\cmd.exe
                cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                3⤵
                  PID:2308
                  • C:\Windows\system32\taskkill.exe
                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                    4⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4912
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                  3⤵
                    PID:824
                    • C:\Windows\system32\taskkill.exe
                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                      4⤵
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4400
                  • C:\Windows\SYSTEM32\cmd.exe
                    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                    3⤵
                      PID:1172
                      • C:\Windows\system32\taskkill.exe
                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                        4⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4480
                    • C:\Windows\SYSTEM32\cmd.exe
                      cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                      3⤵
                        PID:4060
                        • C:\Windows\system32\sc.exe
                          sc stop HTTPDebuggerPro
                          4⤵
                          • Launches sc.exe
                          PID:4264
                      • C:\Windows\SYSTEM32\cmd.exe
                        cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                        3⤵
                          PID:428
                          • C:\Windows\system32\taskkill.exe
                            taskkill /IM HTTPDebuggerSvc.exe /F
                            4⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:5032
                        • C:\Windows\SYSTEM32\cmd.exe
                          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                          3⤵
                            PID:3396
                          • C:\Windows\SYSTEM32\cmd.exe
                            cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                            3⤵
                              PID:1616
                              • C:\Windows\system32\taskkill.exe
                                taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                4⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3048
                            • C:\Windows\SYSTEM32\cmd.exe
                              cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                              3⤵
                                PID:1584
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4276
                              • C:\Windows\SYSTEM32\cmd.exe
                                cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                3⤵
                                  PID:4368
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                    4⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2720
                                • C:\Windows\SYSTEM32\cmd.exe
                                  cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                  3⤵
                                    PID:2712
                                    • C:\Windows\system32\sc.exe
                                      sc stop HTTPDebuggerPro
                                      4⤵
                                      • Launches sc.exe
                                      PID:1632
                                  • C:\Windows\SYSTEM32\cmd.exe
                                    cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                    3⤵
                                      PID:3596
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill /IM HTTPDebuggerSvc.exe /F
                                        4⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4584
                                    • C:\Windows\SYSTEM32\cmd.exe
                                      cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                      3⤵
                                        PID:3108
                                      • C:\Windows\SYSTEM32\cmd.exe
                                        cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                        3⤵
                                          PID:1216
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                            4⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1404
                                        • C:\Windows\SYSTEM32\cmd.exe
                                          cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                          3⤵
                                            PID:4448
                                            • C:\Windows\system32\taskkill.exe
                                              taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4456
                                          • C:\Windows\SYSTEM32\cmd.exe
                                            cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                            3⤵
                                              PID:5088
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                4⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:244
                                            • C:\Windows\SYSTEM32\cmd.exe
                                              cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                              3⤵
                                                PID:3388
                                                • C:\Windows\system32\sc.exe
                                                  sc stop HTTPDebuggerPro
                                                  4⤵
                                                  • Launches sc.exe
                                                  PID:3100
                                              • C:\Windows\SYSTEM32\cmd.exe
                                                cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                3⤵
                                                  PID:3820
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill /IM HTTPDebuggerSvc.exe /F
                                                    4⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2988
                                                • C:\Windows\SYSTEM32\cmd.exe
                                                  cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                  3⤵
                                                    PID:3836
                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                    cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                    3⤵
                                                      PID:2764
                                                      • C:\Windows\system32\taskkill.exe
                                                        taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                        4⤵
                                                        • Kills process with taskkill
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4592
                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                      cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                      3⤵
                                                        PID:2992
                                                        • C:\Windows\system32\taskkill.exe
                                                          taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                          4⤵
                                                          • Kills process with taskkill
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4712
                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                        cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                        3⤵
                                                          PID:4796
                                                          • C:\Windows\system32\taskkill.exe
                                                            taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                            4⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:836
                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                          cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                          3⤵
                                                            PID:3600
                                                            • C:\Windows\system32\sc.exe
                                                              sc stop HTTPDebuggerPro
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:1424
                                                          • C:\Windows\SYSTEM32\cmd.exe
                                                            cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                            3⤵
                                                              PID:4492
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill /IM HTTPDebuggerSvc.exe /F
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2476
                                                            • C:\Windows\SYSTEM32\cmd.exe
                                                              cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                              3⤵
                                                                PID:5028
                                                              • C:\Windows\SYSTEM32\cmd.exe
                                                                cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
                                                                3⤵
                                                                  PID:716
                                                                  • C:\Windows\system32\taskkill.exe
                                                                    taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
                                                                    4⤵
                                                                    • Kills process with taskkill
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1688
                                                                • C:\Windows\SYSTEM32\cmd.exe
                                                                  cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
                                                                  3⤵
                                                                    PID:3256
                                                                    • C:\Windows\system32\taskkill.exe
                                                                      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
                                                                      4⤵
                                                                      • Kills process with taskkill
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4888
                                                                  • C:\Windows\SYSTEM32\cmd.exe
                                                                    cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
                                                                    3⤵
                                                                      PID:3984
                                                                      • C:\Windows\system32\taskkill.exe
                                                                        taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
                                                                        4⤵
                                                                        • Kills process with taskkill
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1312
                                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                                      cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
                                                                      3⤵
                                                                        PID:4416
                                                                        • C:\Windows\system32\sc.exe
                                                                          sc stop HTTPDebuggerPro
                                                                          4⤵
                                                                          • Launches sc.exe
                                                                          PID:3900
                                                                      • C:\Windows\SYSTEM32\cmd.exe
                                                                        cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
                                                                        3⤵
                                                                          PID:3032
                                                                          • C:\Windows\system32\taskkill.exe
                                                                            taskkill /IM HTTPDebuggerSvc.exe /F
                                                                            4⤵
                                                                            • Kills process with taskkill
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3364
                                                                        • C:\Windows\SYSTEM32\cmd.exe
                                                                          cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
                                                                          3⤵
                                                                            PID:3796
                                                                        • C:\Windows\Resources\Themes\icsys.icn.exe
                                                                          C:\Windows\Resources\Themes\icsys.icn.exe
                                                                          2⤵
                                                                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                          • Checks BIOS information in registry
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                          • Drops file in Windows directory
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:3336
                                                                          • \??\c:\windows\resources\themes\explorer.exe
                                                                            c:\windows\resources\themes\explorer.exe
                                                                            3⤵
                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                            • Checks BIOS information in registry
                                                                            • Executes dropped EXE
                                                                            • Adds Run key to start application
                                                                            • Checks whether UAC is enabled
                                                                            • Drops file in System32 directory
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Drops file in Windows directory
                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:3856
                                                                            • \??\c:\windows\resources\spoolsv.exe
                                                                              c:\windows\resources\spoolsv.exe SE
                                                                              4⤵
                                                                              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                              • Checks BIOS information in registry
                                                                              • Executes dropped EXE
                                                                              • Checks whether UAC is enabled
                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                              • Drops file in Windows directory
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:4560
                                                                              • \??\c:\windows\resources\svchost.exe
                                                                                c:\windows\resources\svchost.exe
                                                                                5⤵
                                                                                • Modifies visiblity of hidden/system files in Explorer
                                                                                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                • Checks BIOS information in registry
                                                                                • Executes dropped EXE
                                                                                • Adds Run key to start application
                                                                                • Checks whether UAC is enabled
                                                                                • Drops file in System32 directory
                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3264
                                                                                • \??\c:\windows\resources\spoolsv.exe
                                                                                  c:\windows\resources\spoolsv.exe PR
                                                                                  6⤵
                                                                                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                                                  • Checks BIOS information in registry
                                                                                  • Executes dropped EXE
                                                                                  • Checks whether UAC is enabled
                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:4432

                                                                      Network

                                                                      MITRE ATT&CK Enterprise v15

                                                                      Reconnaissance

                                                                      Resource Development

                                                                      Initial Access

                                                                      Execution

                                                                      System Services

                                                                      1
                                                                      T1569

                                                                      Service Execution

                                                                      1
                                                                      T1569.002

                                                                      Persistence

                                                                      Boot or Logon Autostart Execution

                                                                      1
                                                                      T1547

                                                                      Registry Run Keys / Startup Folder

                                                                      1
                                                                      T1547.001

                                                                      Create or Modify System Process

                                                                      1
                                                                      T1543

                                                                      Windows Service

                                                                      1
                                                                      T1543.003

                                                                      Privilege Escalation

                                                                      Boot or Logon Autostart Execution

                                                                      1
                                                                      T1547

                                                                      Registry Run Keys / Startup Folder

                                                                      1
                                                                      T1547.001

                                                                      Create or Modify System Process

                                                                      1
                                                                      T1543

                                                                      Windows Service

                                                                      1
                                                                      T1543.003

                                                                      Defense Evasion

                                                                      Hide Artifacts

                                                                      1
                                                                      T1564

                                                                      Hidden Files and Directories

                                                                      1
                                                                      T1564.001

                                                                      Impair Defenses

                                                                      1
                                                                      T1562

                                                                      Modify Registry

                                                                      2
                                                                      T1112

                                                                      Virtualization/Sandbox Evasion

                                                                      1
                                                                      T1497

                                                                      Credential Access

                                                                      Discovery

                                                                      Query Registry

                                                                      2
                                                                      T1012

                                                                      System Information Discovery

                                                                      2
                                                                      T1082

                                                                      Virtualization/Sandbox Evasion

                                                                      1
                                                                      T1497

                                                                      Lateral Movement

                                                                      Collection

                                                                      Command and Control

                                                                      Exfiltration

                                                                      Impact

                                                                      Service Stop

                                                                      1
                                                                      T1489

                                                                      Replay Monitor

                                                                      Loading Replay Monitor...

                                                                      Downloads

                                                                      • C:\Users\Admin\AppData\Local\Temp\loader.exe 
                                                                        Filesize

                                                                        912KB

                                                                        MD5

                                                                        c92b21ec0b5b0db8052bf071a2f58b05

                                                                        SHA1

                                                                        a7456a9a8682546d8501a1f7a8dbabd89b5f815a

                                                                        SHA256

                                                                        625ec5db1bddfd0b263ec071d149e6c22c6b5843e101640cf592545efe86866b

                                                                        SHA512

                                                                        b009df619f961f8cfd5fd284ced8c730c5fe27e3bc489ea90cb2ec21b408b22915221d7d647c23a07c9d12a56f2d61bed97edd17ac77d10158f89633e1526abe

                                                                        Download Submit

                                                                      • C:\Windows\Resources\Themes\explorer.exe
                                                                        Filesize

                                                                        2.5MB

                                                                        MD5

                                                                        9e4b8ecdf0020ae302260c79d557c51e

                                                                        SHA1

                                                                        c91cfbc27ab391749404e70156d13748cbe82e1b

                                                                        SHA256

                                                                        3dd81bbf3ebeaa1f667faf3bd568c7aa3596b5e4cbb41a16bb02bc6a240df7b2

                                                                        SHA512

                                                                        03ba9277f77e5ac204512f7725f28deff7db6e12e7f3e0026efcb0b46dc31f475dc6087ae8313bf5355e4941d98be5559793e4d87fbce01ae7d79c2fe32524ea

                                                                        Download Submit

                                                                      • C:\Windows\Resources\Themes\icsys.icn.exe
                                                                        Filesize

                                                                        2.5MB

                                                                        MD5

                                                                        3256cc409a27c95b37ba4f22e325a954

                                                                        SHA1

                                                                        9fa06c03016786313b48e8672fabf53fc40e0c88

                                                                        SHA256

                                                                        98bde60dc3b19b04766ce6409f21639ea9f617a414b77fe4dd4bc00a94823085

                                                                        SHA512

                                                                        17e6a0c683468749694902b5ec7ec89ac3e5a409f12984fee44f13b2029a500e431fa49df790ec480b301b35ad68e93af44a246665ff23126468390c3bccc99c

                                                                        Download Submit

                                                                      • C:\Windows\Resources\spoolsv.exe
                                                                        Filesize

                                                                        2.5MB

                                                                        MD5

                                                                        2126e5036679daf12a476ebf4cfba90d

                                                                        SHA1

                                                                        2a43758e5c0527e62afbd93d8e2e53a9e780580e

                                                                        SHA256

                                                                        4796c4ef2dfef71c2af6bdb0c2f083ed0a57ada814ece91c2e773d4c43c544c0

                                                                        SHA512

                                                                        af076c1fbf1f72253d54b0f62aae207624bd6bc7ead3b34eb26cd5908de11802e868a98f17b78f52d24426fbe3d49632a32e8ada713b3e1f34b3be436db58a4e

                                                                        Download Submit

                                                                      • \??\c:\windows\resources\svchost.exe
                                                                        Filesize

                                                                        2.5MB

                                                                        MD5

                                                                        36307d266ee4d25895a1356596b8b8b7

                                                                        SHA1

                                                                        858e3529e53b9533880756cf9940ca19da109bdf

                                                                        SHA256

                                                                        51935391772cddd0b0259e780a1052248655f59d4b24ed1c741ea9d8b20b3b64

                                                                        SHA512

                                                                        b5621e854d0b560cfe00f290d790e3482539be621c92578f1cfb0b5c9300dd3781839476c36772e127e15f68eee7c76b9552631c2a4644ef3ad2f10d19b36ff0

                                                                        Download Submit

                                                                      • memory/3208-65-0x00007FF7D7810000-0x00007FF7D78F8000-memory.dmp

                                                                        Filesize

                                                                        928KB

                                                                        Download

                                                                      • memory/3264-40-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/3264-58-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/3336-13-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/3336-53-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/3856-22-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/3856-66-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/3856-57-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/4432-45-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/4432-50-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/4560-31-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/4560-55-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/5084-0-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download

                                                                      • memory/5084-1-0x0000000077924000-0x0000000077926000-memory.dmp

                                                                        Filesize

                                                                        8KB

                                                                        Download

                                                                      • memory/5084-56-0x0000000000400000-0x0000000000A0E000-memory.dmp

                                                                        Filesize

                                                                        6.1MB

                                                                        Download