Analysis
-
max time kernel
46s -
max time network
56s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 18:00
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240508-en
General
-
Target
Loader.exe
-
Size
16.8MB
-
MD5
0107075cd4f1ba34b951c895eacc1285
-
SHA1
f50404806a62dc04ab129397e30a9cb1d2dbc8db
-
SHA256
b6977ad0b0332d1466e0843ebef2decc3e2fcc01f8fc62da2d3f2e716a63dc81
-
SHA512
0ededb1af828e7fd85b3fa38f5f17ba21222c6e0da5a1f46f5328acd379aca9153d9dd5c9da904d1a834d2b5baac2e12017aaa023d93f5b3bf312f19e1540915
-
SSDEEP
393216:muBhAp43/nfPmZXtCshmXQ3KIpoOwkwbyco/76hikE1cpPFLc5:FspnJh13Zcm76+MPZE
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Loader.exe -
resource yara_rule behavioral2/memory/4120-0-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-2-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-3-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-4-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-5-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-9-0x0000000140000000-0x00000001425F1000-memory.dmp themida behavioral2/memory/4120-11-0x0000000140000000-0x00000001425F1000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4120 Loader.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1948 sc.exe 3048 sc.exe 4748 sc.exe 1000 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe 4120 Loader.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4120 wrote to memory of 60 4120 Loader.exe 82 PID 4120 wrote to memory of 60 4120 Loader.exe 82 PID 60 wrote to memory of 4748 60 cmd.exe 84 PID 60 wrote to memory of 4748 60 cmd.exe 84 PID 4120 wrote to memory of 1944 4120 Loader.exe 85 PID 4120 wrote to memory of 1944 4120 Loader.exe 85 PID 1944 wrote to memory of 1000 1944 cmd.exe 87 PID 1944 wrote to memory of 1000 1944 cmd.exe 87 PID 4120 wrote to memory of 348 4120 Loader.exe 88 PID 4120 wrote to memory of 348 4120 Loader.exe 88 PID 348 wrote to memory of 1948 348 cmd.exe 90 PID 348 wrote to memory of 1948 348 cmd.exe 90 PID 4120 wrote to memory of 4132 4120 Loader.exe 91 PID 4120 wrote to memory of 4132 4120 Loader.exe 91 PID 4132 wrote to memory of 3048 4132 cmd.exe 93 PID 4132 wrote to memory of 3048 4132 cmd.exe 93 PID 4120 wrote to memory of 4024 4120 Loader.exe 94 PID 4120 wrote to memory of 4024 4120 Loader.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:4748
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:1000
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:1948
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:3048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4024
-