Malware Analysis Report

2024-08-06 12:40

Sample ID 240523-m7k49sea29
Target a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
SHA256 a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
Tags
rat default asyncrat stealerium collection evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282

Threat Level: Known bad

The file a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282 was found to be: Known bad.

Malicious Activity Summary

rat default asyncrat stealerium collection evasion spyware stealer trojan

UAC bypass

AsyncRat

Asyncrat family

Stealerium

Modifies Windows Defender Real-time Protection settings

Async RAT payload

Async RAT payload

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Windows security modification

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Looks up geolocation information via web service

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

System policy modification

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 11:06

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 11:06

Reported

2024-05-23 11:08

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe"

Signatures

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Stealerium

stealer stealerium

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\System32\cmd.exe
PID 4888 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\System32\cmd.exe
PID 4888 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\system32\cmd.exe
PID 4888 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\system32\cmd.exe
PID 2572 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2572 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 832 wrote to memory of 3720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 832 wrote to memory of 3720 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2572 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Loaader.exe
PID 2572 wrote to memory of 528 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Loaader.exe
PID 528 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 904 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 904 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 528 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 1884 wrote to memory of 4088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 4088 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1884 wrote to memory of 3548 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 3548 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1884 wrote to memory of 1684 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1884 wrote to memory of 1684 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 528 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 528 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 2312 wrote to memory of 1956 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2312 wrote to memory of 1956 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2312 wrote to memory of 3872 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2312 wrote to memory of 3872 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe

"C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5285.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'

C:\Users\Admin\AppData\Roaming\Loaader.exe

"C:\Users\Admin\AppData\Roaming\Loaader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.113:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 113.61.62.23.in-addr.arpa udp
US 66.235.168.242:3232 tcp
US 8.8.8.8:53 242.168.235.66.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 66.235.168.242:3232 tcp
US 66.235.168.242:3232 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 66.235.168.242:3232 tcp
US 66.235.168.242:3232 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp

Files

memory/4888-0-0x00000000009F0000-0x0000000000A06000-memory.dmp

memory/4888-1-0x00007FFE80DA3000-0x00007FFE80DA5000-memory.dmp

memory/4888-2-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

memory/4888-7-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

memory/4888-8-0x00007FFE80DA0000-0x00007FFE81861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5285.tmp.bat

MD5 fc3951f8e84d41ffe6ffa9125dd9ec0a
SHA1 5721dae2ef28e9c3d0e1766d4e78a469a645b378
SHA256 9dcf50c00b5b7ce0c3ca4327588ef114e3909147034f2f044271b5b8cefb0926
SHA512 f433a9e5740982f61ad45edcc3927bc32b4e9c6c27dfec1efb0ae46e143e5befe01110e0eca9cb2e2a742a3b38841ce626e303f1cd229103659b566fc054e541

C:\Users\Admin\AppData\Roaming\Loaader.exe

MD5 b8d455465260a845db35492fda5a8888
SHA1 287b0ba049ad8f3be802d2224efb86dba72d3221
SHA256 a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
SHA512 5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a

memory/528-15-0x000000001D0F0000-0x000000001D166000-memory.dmp

memory/528-16-0x000000001D070000-0x000000001D0A4000-memory.dmp

memory/528-17-0x000000001D0A0000-0x000000001D0BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vrb5vc0a.od5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5108-23-0x000002C2E73D0000-0x000002C2E73F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/528-42-0x000000001D2A0000-0x000000001D352000-memory.dmp

memory/528-44-0x000000001D8E0000-0x000000001DA68000-memory.dmp

memory/528-49-0x00000000024F0000-0x00000000024FA000-memory.dmp

C:\Users\Admin\AppData\Local\dec13f7648136b013950c313650eaf39\Admin@BVRKIPTS_en-US\System\Process.txt

MD5 f4e0cd362bb2a44d6037766556887d1c
SHA1 d39acebfc335ba3777a7bf2fbc5cbb37f1298de2
SHA256 289400d731b513ad9eb0dacb5cbad7ec3d7632294fe8fd4b6acf688424d19b9e
SHA512 f189227f7c8521415ebebe525abe0536ed17a3e27dbf18f3c60dfc0b9d6afe81ff6990e4355aec003016b185d929de724b3e316d765482bb9e312ff5186ab76f

C:\Users\Admin\AppData\Local\dec13f7648136b013950c313650eaf39\Admin@BVRKIPTS_en-US\System\Process.txt

MD5 241bc9c3cd73370441c67ee521f6c435
SHA1 04737f7bbd441a3cc70c8c110ed2dd27a3b168a3
SHA256 49165f22e7c4e5d0cb520486708c4c25db9d0c210b66b227fd62ca4fe1dd5f74
SHA512 437580357dee5940468aebe59dbdca90538276e70c03ad98ff9ca27eb9211186728f710d87b5985022245c34ddf6c60bdde425e1ec941147ad441291c45947cf

C:\Users\Admin\AppData\Local\dec13f7648136b013950c313650eaf39\Admin@BVRKIPTS_en-US\System\Process.txt

MD5 055cb94fd91e56f0ebd52625fe8c6650
SHA1 df65d5c10889baf49616035800d5a864501b2588
SHA256 6fe06e61f037260946d3ac5789cb6fa08e7dc8488addaa6f048d852ad5f19ed6
SHA512 01039af9095f0ee17d2dbc077de4c7bff235cc6a9356ec238dca3c9c2ec7202d7e66d57b339f4532edba46bf9622f3a6b0860468c7b91950740515f90a8eeb7f

memory/528-200-0x000000001CC70000-0x000000001CCEA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 11:06

Reported

2024-05-23 11:09

Platform

win11-20240508-en

Max time kernel

101s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe"

Signatures

AsyncRat

rat asyncrat

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Stealerium

stealer stealerium

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A ip-api.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2400 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\System32\cmd.exe
PID 2400 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\system32\cmd.exe
PID 2400 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe C:\Windows\system32\cmd.exe
PID 2152 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 2888 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2312 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 3032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Loaader.exe
PID 2312 wrote to memory of 3924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Loaader.exe
PID 3924 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3924 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 3924 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 2136 wrote to memory of 3116 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2136 wrote to memory of 3116 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2136 wrote to memory of 896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 896 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2136 wrote to memory of 344 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2136 wrote to memory of 344 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3924 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 3924 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\Loaader.exe C:\Windows\SYSTEM32\cmd.exe
PID 1556 wrote to memory of 4204 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1556 wrote to memory of 4204 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1556 wrote to memory of 3052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1556 wrote to memory of 3052 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\consentpromptbehavioradmin = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\enablelua = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\promptonsecuredesktop = "0" C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Loaader.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe

"C:\Users\Admin\AppData\Local\Temp\a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AFA.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Loaader" /tr '"C:\Users\Admin\AppData\Roaming\Loaader.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\Loaader.exe

"C:\Users\Admin\AppData\Roaming\Loaader.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 66.235.168.242:3232 tcp
US 66.235.168.242:3232 tcp
US 66.235.168.242:3232 tcp
US 66.235.168.242:3232 tcp
US 66.235.168.242:3232 tcp
US 104.16.184.241:80 icanhazip.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 104.21.44.66:443 api.mylnikov.org tcp

Files

memory/2400-0-0x0000000000C10000-0x0000000000C26000-memory.dmp

memory/2400-1-0x00007FFE097B3000-0x00007FFE097B5000-memory.dmp

memory/2400-2-0x00007FFE097B0000-0x00007FFE0A272000-memory.dmp

memory/2400-3-0x00007FFE097B0000-0x00007FFE0A272000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8AFA.tmp.bat

MD5 c9c7a46789559d79a087181381a63139
SHA1 2ecad246c77b9da3e0752e2a58d077fb54d1cead
SHA256 6a842e2d1aeb09a9213860cb30acad653c3a83c236adac55a11ac986f0a3f23d
SHA512 ca4e87e8bf8f2f1a65607e2aa365a63bae4fad424e137200376997c917c27be2aa59da9dfa055ebbbad32913a805267b55783f70b60b404b3e5f0e7547e44bfa

memory/2400-8-0x00007FFE097B0000-0x00007FFE0A272000-memory.dmp

C:\Users\Admin\AppData\Roaming\Loaader.exe

MD5 b8d455465260a845db35492fda5a8888
SHA1 287b0ba049ad8f3be802d2224efb86dba72d3221
SHA256 a150a433c6a3e4278f6cc4cbc85863fc431e5c1e65081ad67253513e8ca01282
SHA512 5dba43ae31420de362593752e8ff491afbe8d20f183f6b95e6962ea1e637c7bf3bd50b5213e4d928a96b85d9b54841ee697798b0089624b13ef7eded826cd86a

memory/3924-15-0x000000001CF50000-0x000000001CFC6000-memory.dmp

memory/3924-16-0x0000000002370000-0x00000000023A4000-memory.dmp

memory/3924-17-0x000000001CED0000-0x000000001CEEE000-memory.dmp

memory/3924-18-0x00000000023A0000-0x00000000023D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ti2cxglc.yiv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3636-27-0x000002B3EDDA0000-0x000002B3EDDC2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

memory/3924-41-0x000000001D4D0000-0x000000001D582000-memory.dmp

memory/3924-43-0x000000001DBF0000-0x000000001DD78000-memory.dmp

memory/3924-48-0x000000001D710000-0x000000001D71A000-memory.dmp

C:\Users\Admin\AppData\Local\1c629bcf45b09b5e024d3c5ce4c67cbf\Admin@OYHKEPSP_en-US\Browsers\Mozilla\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\1c629bcf45b09b5e024d3c5ce4c67cbf\Admin@OYHKEPSP_en-US\System\Process.txt

MD5 8be47432f9a5954d7490f6480f863f64
SHA1 0f72a817fa5413624fe4325657368811e6a79eea
SHA256 685bdd2ce75d725c13a0319bc54fca46ecdaa2261e7d60f116341cfeea74ca2c
SHA512 288a560dd75fa5a89f8226f28e8bbc05aff4c8d31692eefbea457bb4e95667e3c9e254eaeeb56751444db8ab4ef654bd89632cb7937548cf7f78b1dc81f1db3c

C:\Users\Admin\AppData\Local\1c629bcf45b09b5e024d3c5ce4c67cbf\Admin@OYHKEPSP_en-US\System\Process.txt

MD5 7190bb750d7950c6df9bded7bf72d9a3
SHA1 39a218eede3870b9762bba93767f931b3daeff1e
SHA256 0df1a3d694b5c6659d17f4ae017b9403834d4d67340235f911c32164b12c8057
SHA512 431527adfa20002a029fc958131363836889b8b8565ba2176c8aa775a6e6ed4434c67024491b7d2cd544bda0eb5f33553121f6c5a34c3b763b94c15006410915

C:\Users\Admin\AppData\Local\1c629bcf45b09b5e024d3c5ce4c67cbf\Admin@OYHKEPSP_en-US\System\Process.txt

MD5 a5a645b1b8dc5d0a5f6ed8ff0c17dac7
SHA1 06c6a470dbe411b1f17644ab7d5694ddb5f869d3
SHA256 f1df5e1785d1109b8f7ef0a6cacbbd1b614b262a9b8dcb5231c64237131ce719
SHA512 198cfb771c5bddae843860cd4f3189a27add274282d74229f9fa903edaffae853431731347c118638b3984546422599573f967630e85acecffd4243ae750d680

C:\Users\Admin\AppData\Local\1c629bcf45b09b5e024d3c5ce4c67cbf\Admin@OYHKEPSP_en-US\System\Process.txt

MD5 8815596f17a50efe63c58850b0d294b2
SHA1 1f1f46c924e71433adc158becb9011082db2658d
SHA256 2a133d1f1b1d807d26f48bf7e20d160ed7ef5e5664ed3e000b10fe06d1ff19fe
SHA512 d3f14266a71e28332ac0d5f38586ee42cd340dac5565a3417a0fe920192a0bf7548c7b9bc339d06a6c493310ae244c4648f978727de3859b190462d1d703c117

memory/3924-191-0x00000000008E0000-0x000000000095A000-memory.dmp