Overview

overview

3

Static

static

3

exloader.exe

windows10-2004-x64

1

Resubmissions

11-06-2024 14:57

240611-sbkrhs1gkk 3

11-06-2024 14:34

240611-rxtqwa1ckl 10

Analysis

  • max time kernel
    52s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 14:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    exloader.exe

  • Size

    374KB

  • MD5

    5f5c62095352d43aa3e0c44e523de441

  • SHA1

    ebc3afb594a29bede8361b09de504d35dd6f082a

  • SHA256

    7165426a7c1588e66f85f527eb7f8a78523d470a2b5b433239dd6806b4169d3d

  • SHA512

    e920f6a28dce9c73f3906068aebd5d772a2ff600842d798a6f573a13f3b079b0dbcf5c14020c1e0ad0f589c9466699585b3ee55108b7ffa771c23f85251928d1

  • SSDEEP

    6144:yzieeedDj8F69uBDbkkL2b96+9I3zyGaqI8ZexY1rnPAoViXbaGJEC6:9LedDCVDbkkCb96MGa9BxY1TfASC6

Score
1/10

Malware Config

Signatures

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\exloader.exe
    "C:\Users\Admin\AppData\Local\Temp\exloader.exe"
    1⤵
      PID:1976
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.0.25803692\1747560718" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36c239fd-7931-47f1-8aef-51889a63daf6} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 1852 29a31f0f658 gpu
          3⤵
            PID:1692
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.1.2025566023\85346909" -parentBuildID 20230214051806 -prefsHandle 2424 -prefMapHandle 2412 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f3b8ad0-99f5-41f9-86f6-e4804ed70e34} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 2436 29a25285f58 socket
            3⤵
              PID:4372
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.2.52606744\2137053657" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07cc96a6-c3da-441b-a2d0-8899fc0f391e} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 2988 29a34e13c58 tab
              3⤵
                PID:4536
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.3.1123870789\1739890109" -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78465a7e-e844-407c-9c94-a05450ce8714} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 3340 29a36b85458 tab
                3⤵
                  PID:2976
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.4.968482123\395929494" -childID 3 -isForBrowser -prefsHandle 5088 -prefMapHandle 5084 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc90fcce-5fd8-48b9-b29d-8e10a942892e} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 5068 29a39050c58 tab
                  3⤵
                    PID:2428
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.5.1833062588\17330841" -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5316 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dba316b-c8c4-4cbc-87a0-b8dbbcf3256d} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 5328 29a39050f58 tab
                    3⤵
                      PID:3348
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2688.6.1175035167\183253599" -childID 5 -isForBrowser -prefsHandle 5232 -prefMapHandle 5236 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1264 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45dbb72-0d65-415f-974a-43968c61571d} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" 5224 29a390fb258 tab
                      3⤵
                        PID:1108

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
                    Filesize

                    26KB

                    MD5

                    5389fc17bcf6c68094a20d7ef84055cf

                    SHA1

                    b6279ba44be99e77a7e2b5aae7a12c937a2372a9

                    SHA256

                    fc6a0fd8a23f39196ecc432ad2148e8a74d4f42d4f6a3a7205d6481e78c584b6

                    SHA512

                    7377636b3f82c27e61f656fca33f540e788978c2c0232e2dd55b1291c6edc1b563cf2d8263038ebf8b5995272df7ed5ef4f0efbb9def97929173255694f552cc

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    2eb621e9258d0dd3be089faafab3c0d0

                    SHA1

                    d7590b105acd86d3fd8f28154eb2d35ebed5e95d

                    SHA256

                    b15de20ed60b71310605abd2e211dd01640d51defd06877b3205c8569d38d268

                    SHA512

                    8ea5ebf303ed5f68537d97b56f23be79ce098f095163b006c2162c831629b262ca8aa0ff541445821da8dd8bcc7298fae73b73214de6f5ad84dce64036bc1fd2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
                    Filesize

                    7KB

                    MD5

                    58dc994422ae4f9f08b977b1aee09ee7

                    SHA1

                    b8277990518147540202aa26f2a850c6fde4cbc0

                    SHA256

                    08417a583b985bdba2948e04c9fdaf186094c88916b15e3950ffd3a54cc9140d

                    SHA512

                    d9017a424278cf118d5a02367bce85a729a98cd8c2b9716c7e7a1a6d7be8551a020f9598b4d5dc62de82027173fb450c324ad5dd6076c7e3eafd8c901d97ef6c

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    1KB

                    MD5

                    f0a4a00dd62fc9b35586c96be84d2e73

                    SHA1

                    8250a3d6a8193f55408c7fd6a8c346109d0abd67

                    SHA256

                    cf65eb6f4c7a32cf84ea92478350a832885d2e96b1f6f6b11f80eadca827152b

                    SHA512

                    b2b8c24dadb1131bfc102762a22afe03acc70590335d65a876612cab4684d2bb01d99e420292a2f6574dcafeeadc4c2518ff74b08fe71d890fba6bcae07172d1

                    Download Submit