Malware Analysis Report

2024-09-11 06:47

Sample ID 240524-p4ty4sdf2w
Target Windows Loader.exe
SHA256 2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
Tags
upx discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94

Threat Level: Likely malicious

The file Windows Loader.exe was found to be: Likely malicious.

Malicious Activity Summary

upx discovery exploit

Possible privilege escalation attempt

Checks BIOS information in registry

Executes dropped EXE

Modifies file permissions

UPX packed file

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-24 12:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 12:53

Reported

2024-05-24 12:56

Platform

win7-20240220-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\bootsect.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2336 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2336 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2336 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1992 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 968 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 968 wrote to memory of 2140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2316 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2316 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2316 wrote to memory of 1692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1992 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1568 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1568 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1568 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1992 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 876 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 876 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 876 wrote to memory of 880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1992 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\system32\cmd.exe
PID 2104 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2104 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2104 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1992 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 568 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 568 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 568 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 568 wrote to memory of 812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\compact.exe
PID 1992 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe

"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "compact /u \\?\Volume{8f38c743-d02e-11ee-b591-806e6f6e6963}\ITHFD"

C:\Windows\SysWOW64\compact.exe

compact /u \\?\Volume{8f38c743-d02e-11ee-b591-806e6f6e6963}\ITHFD

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"

C:\bootsect.exe

C:\bootsect.exe /nt60 SYS /force

Network

N/A

Files

memory/1992-0-0x0000000000400000-0x0000000000623000-memory.dmp

memory/1992-1-0x00000000025A0000-0x0000000002743000-memory.dmp

memory/1992-15-0x00000000002D0000-0x00000000002E2000-memory.dmp

memory/1992-10-0x00000000002C0000-0x00000000002D0000-memory.dmp

memory/1992-2-0x00000000002A0000-0x00000000002B3000-memory.dmp

memory/1992-23-0x0000000010000000-0x0000000010021000-memory.dmp

memory/1992-39-0x0000000000310000-0x0000000000320000-memory.dmp

memory/1992-55-0x0000000000330000-0x0000000000350000-memory.dmp

memory/1992-47-0x0000000000320000-0x0000000000330000-memory.dmp

memory/1992-31-0x00000000002F0000-0x0000000000301000-memory.dmp

memory/1992-64-0x0000000000400000-0x0000000000623000-memory.dmp

C:\Acer.XRM-MS

MD5 f25832af6a684360950dbb15589de34a
SHA1 17ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256 266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512 e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

memory/1992-68-0x0000000000400000-0x0000000000623000-memory.dmp

memory/1992-69-0x0000000000400000-0x0000000000623000-memory.dmp

\??\Volume{8f38c743-d02e-11ee-b591-806e6f6e6963}\ITHFD

MD5 3c55fd03d93511d9b0e7156dbad9382f
SHA1 1e6d0769d9d4713f71db92db246dff1051a40fdd
SHA256 ab4f9e8874263e5a3050f6783e64fa54a04547a64f17baae24f919178e1e88a3
SHA512 a0616f74cb17619a961f102d373ae1a738e53f79d7126a44e1815affa222eaeee624f2290eb6b7a058c68051aa5a48e5b62d65ed7d26bb6b16bfc6210729d5c3

C:\bootsect.exe

MD5 922c54c3d1038816aa155981ab96300a
SHA1 294d1729d3046982f786164ae2cab1273813d69f
SHA256 80d778bc4a652ac6e98178cf0329fce086985ca05215c31b60997aa65fd657c0
SHA512 831c8f52633315040511b8f4f84cf2b697be8921fac61febaa936f820b9dd492abaafacbdf2e780b313fd825149fba1252c2d96b4c684cfd1958a67e0f01e7dd

memory/2576-78-0x0000000001000000-0x000000000101B000-memory.dmp

memory/1992-81-0x0000000000400000-0x0000000000623000-memory.dmp