Analysis
-
max time kernel
80s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win11-20240611-en
General
-
Target
Loader.exe
-
Size
1.8MB
-
MD5
289f27e7a02f8e76ebf39d2c0c3f09e4
-
SHA1
fb404a7a85d5fb617436f73832e4716556756d6a
-
SHA256
854d267aea33e8dc80021ac043b003ab7c6f99061e56e36572cba3548e6882c9
-
SHA512
38798cc71da6dfd8022dff2be635db8b938ba8d8dc5db8196802af2d9deb26dda145e0e581a6b8eb7022a1e0c33ff34c666cc4817f9f2ac50d1f362f434a75fe
-
SSDEEP
24576:KuDXTIGaPhEYzUzA0Dz46fMR/6Y/M3pPux8KVzVvu9JDcEL0NLpgjdyWhPOePTnK:9Djlabwz9PHMf/M3BuxbzuDQyBPXam0H
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation Loader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2368 powershell.exe 2368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2368 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Loader.execmd.execmd.exedescription pid process target process PID 3004 wrote to memory of 3708 3004 Loader.exe cmd.exe PID 3004 wrote to memory of 3708 3004 Loader.exe cmd.exe PID 3708 wrote to memory of 2596 3708 cmd.exe cacls.exe PID 3708 wrote to memory of 2596 3708 cmd.exe cacls.exe PID 3708 wrote to memory of 2380 3708 cmd.exe cmd.exe PID 3708 wrote to memory of 2380 3708 cmd.exe cmd.exe PID 2380 wrote to memory of 2368 2380 cmd.exe powershell.exe PID 2380 wrote to memory of 2368 2380 cmd.exe powershell.exe PID 2380 wrote to memory of 4400 2380 cmd.exe choice.exe PID 2380 wrote to memory of 4400 2380 cmd.exe choice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"3⤵PID:2596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Windows\system32\choice.exechoice /c y /n /t 10 /d y4⤵PID:4400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:81⤵PID:3996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypass.batFilesize
9KB
MD54c44aab923a5c7719850e5138ecb64c0
SHA19634bb1db8ed400b033225a849c88c7908d61b3d
SHA25663047a792bde6efb6aab1a6dbb178f55b6ae86317d75cb4470e51dd0ef76be2e
SHA51298fd476c2b48be92a6101ff71514818eca6c7849ad17097b86babbbae9ecc9ff60a0a88c143a6ccbb67f002798531ab3717ad3fd7246de53c49b8daaeebad8f0
-
C:\Users\Admin\AppData\Local\Temp\Loader\AntiCheatBypasss.batFilesize
8KB
MD567789813c0d52fa2d7bfbffd5d572e6e
SHA152389d023f55bda8aba2efdbe82ee48c17f19639
SHA256ab044df54893f5f2e54233fc6ea4ef6dd8a9a0731a893734f287e62eeae0c3cf
SHA512467f875a6bf70a39fcb4918952706d41f92c0166c4c2ad2a9c6b2207c7ac076a155dbc9b7682e65f9f9498c3636bd2b04e2aad5b2b89a185ea22bb6146980527
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgaiagz5.v2f.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2368-14-0x00007FFB40573000-0x00007FFB40575000-memory.dmpFilesize
8KB
-
memory/2368-21-0x0000029435E30000-0x0000029435E52000-memory.dmpFilesize
136KB
-
memory/2368-15-0x00007FFB40570000-0x00007FFB41031000-memory.dmpFilesize
10.8MB
-
memory/2368-26-0x00007FFB40570000-0x00007FFB41031000-memory.dmpFilesize
10.8MB
-
memory/2368-29-0x00007FFB40570000-0x00007FFB41031000-memory.dmpFilesize
10.8MB