Analysis
-
max time kernel
14s -
max time network
17s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 18:17
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10v2004-20240426-en
General
-
Target
Loader.exe
-
Size
16.6MB
-
MD5
b352be3778029a883d12879b28cb9983
-
SHA1
5af8c96e4f429c81c20f62b9e208384a04b397f7
-
SHA256
29e1a7d0ae4f700212bd0395e9fb511af08fbef9c1bf35aa9e77c6f2ab931b14
-
SHA512
42851f8cd0763f10b68003b26e639ef625d037b18aa0d4e7b99f6e0977385d7addb6eab945a12d22fa8d3277084480137550273543d382b4fc35c60fa3853a81
-
SSDEEP
393216:8GmAWaHdqVlohjmp+Sub6a9cQ4uTQnjeaijvP:ADAdulqO5I9TlvP
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Loader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
Loader.exedescription ioc process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Loader.exe -
Processes:
resource yara_rule behavioral1/memory/3944-0-0x0000000140000000-0x00000001425AE000-memory.dmp themida behavioral1/memory/3944-1-0x0000000140000000-0x00000001425AE000-memory.dmp themida behavioral1/memory/3944-2-0x0000000140000000-0x00000001425AE000-memory.dmp themida behavioral1/memory/3944-3-0x0000000140000000-0x00000001425AE000-memory.dmp themida behavioral1/memory/3944-15-0x0000000140000000-0x00000001425AE000-memory.dmp themida behavioral1/memory/3944-16-0x0000000140000000-0x00000001425AE000-memory.dmp themida -
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
Processes:
Loader.exedescription ioc process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Loader.exepid process 3944 Loader.exe -
Drops file in Windows directory 4 IoCs
Processes:
Loader.exedescription ioc process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2736 sc.exe 2080 sc.exe 432 sc.exe 1496 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
Loader.exepid process 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe 3944 Loader.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 664 664 -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Loader.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3944 wrote to memory of 3336 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 3336 3944 Loader.exe cmd.exe PID 3336 wrote to memory of 1496 3336 cmd.exe sc.exe PID 3336 wrote to memory of 1496 3336 cmd.exe sc.exe PID 3944 wrote to memory of 1752 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 1752 3944 Loader.exe cmd.exe PID 1752 wrote to memory of 2736 1752 cmd.exe sc.exe PID 1752 wrote to memory of 2736 1752 cmd.exe sc.exe PID 3944 wrote to memory of 4452 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 4452 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 1664 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 1664 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 1504 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 1504 3944 Loader.exe cmd.exe PID 4452 wrote to memory of 2080 4452 cmd.exe sc.exe PID 4452 wrote to memory of 2080 4452 cmd.exe sc.exe PID 1504 wrote to memory of 2204 1504 cmd.exe certutil.exe PID 1504 wrote to memory of 2204 1504 cmd.exe certutil.exe PID 1504 wrote to memory of 400 1504 cmd.exe find.exe PID 1504 wrote to memory of 400 1504 cmd.exe find.exe PID 1504 wrote to memory of 4492 1504 cmd.exe find.exe PID 1504 wrote to memory of 4492 1504 cmd.exe find.exe PID 1664 wrote to memory of 432 1664 cmd.exe sc.exe PID 1664 wrote to memory of 432 1664 cmd.exe sc.exe PID 3944 wrote to memory of 3236 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 3236 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 3592 3944 Loader.exe cmd.exe PID 3944 wrote to memory of 3592 3944 Loader.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:1496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:2736 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:2080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:432 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵PID:2204
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:400
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3944-0-0x0000000140000000-0x00000001425AE000-memory.dmpFilesize
37.7MB
-
memory/3944-1-0x0000000140000000-0x00000001425AE000-memory.dmpFilesize
37.7MB
-
memory/3944-2-0x0000000140000000-0x00000001425AE000-memory.dmpFilesize
37.7MB
-
memory/3944-3-0x0000000140000000-0x00000001425AE000-memory.dmpFilesize
37.7MB
-
memory/3944-4-0x00007FF906B10000-0x00007FF906B12000-memory.dmpFilesize
8KB
-
memory/3944-15-0x0000000140000000-0x00000001425AE000-memory.dmpFilesize
37.7MB
-
memory/3944-16-0x0000000140000000-0x00000001425AE000-memory.dmpFilesize
37.7MB