Malware Analysis Report

2024-09-11 06:37

Sample ID 240524-p1pj8add48
Target Windows Loader.exe
SHA256 2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
Tags
upx discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

Threat Level: Likely malicious

The file Windows Loader.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery exploit

Possible privilege escalation attempt

UPX packed file

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-24 12:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 12:47

Reported

2024-05-24 12:49

Platform

win7-20240221-en

Max time kernel

56s

Max time network

62s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bootsect.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2592 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2592 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2592 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2660 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2728 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2728 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2728 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2660 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2012 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2012 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2012 wrote to memory of 1236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2660 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1920 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2660 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2660 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1760 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1760 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2660 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2936 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2936 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2936 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2936 wrote to memory of 1068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 2660 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "compact /u \\?\Volume{9b4686c3-d10b-11ee-9cdc-806e6f6e6963}\XDFVE"

C:\Windows\SysWOW64\compact.exe

compact /u \\?\Volume{9b4686c3-d10b-11ee-9cdc-806e6f6e6963}\XDFVE

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"

C:\bootsect.exe

C:\bootsect.exe /nt60 SYS /force

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

memory/2660-0-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2660-1-0x0000000000300000-0x0000000000313000-memory.dmp

memory/2660-14-0x0000000000330000-0x0000000000342000-memory.dmp

memory/2660-22-0x0000000002560000-0x0000000002703000-memory.dmp

memory/2660-9-0x0000000000320000-0x0000000000330000-memory.dmp

memory/2660-31-0x0000000000370000-0x0000000000381000-memory.dmp

memory/2660-47-0x0000000000390000-0x00000000003A0000-memory.dmp

memory/2660-23-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2660-55-0x00000000003A0000-0x00000000003C0000-memory.dmp

memory/2660-39-0x0000000000350000-0x0000000000360000-memory.dmp

memory/2660-64-0x0000000000400000-0x0000000000623000-memory.dmp

C:\Acer.XRM-MS

MD5 f25832af6a684360950dbb15589de34a
SHA1 17ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256 266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512 e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

memory/2660-68-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2660-69-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2660-70-0x0000000000400000-0x0000000000623000-memory.dmp

\??\Volume{9b4686c3-d10b-11ee-9cdc-806e6f6e6963}\XDFVE

MD5 0a2deaf9a726c7dbb05c128ca559d0c1
SHA1 ae1eb04007dc83aaaed89625b9cc35ae27e9de83
SHA256 8a98b8a92c11e1ab256b9047f762bdac6c37adbc84ebdfbfc3b00dc2c716be8b
SHA512 2dae19468eea0c5054deb970cb6ea27892bc4d5c586d28937872134711f6ce64b5a062683517bdd34be4ce10b60050e90fd429f28c63fd148d83e0f91b84775f

C:\bootsect.exe

MD5 c5a8c6cf9cbeb37b3ecfe25e8aff6880
SHA1 9f85391ab443f23795cc4629bc088c47c5291119
SHA256 2ff30f1d960ffbe3a83bce386935471b70e7b878b5fa11575701ee633dda98be
SHA512 8ea23b02903a1b667a00ac713588fc3803fa4b3444d17342fb31975d69243c2dcde0aabd620d7bf7d0d12f132b53933d5c054cc9496a318513fedf314256915e

memory/2660-82-0x0000000000400000-0x0000000000623000-memory.dmp