Overview

overview

7

Static

static

3

Loader.exe

windows7-x64

3

Loader.exe

windows10-1703-x64

7

Loader.exe

windows10-2004-x64

7

Loader.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    359s
  • max time network
    359s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-07-2024 11:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    857KB

  • MD5

    2b4ca19ce32a373dde70fb0ebdf96fc7

  • SHA1

    0273612af7bd1080541d32496162f1a62bac27e6

  • SHA256

    6f18bcd3189e785d72b313e0d453eae7548af0b55a36eded240f532475f734da

  • SHA512

    89082aaaf1c11159b55ef038c4c7e303708f5b850d82b4302ba6903381c5f70ff80c9c2b54416a1211944fbc7fd9cf4fc6ef121b39a4de62692d277c21ab4b81

  • SSDEEP

    12288:kAyjhkgp8WRcJ/VQ/Rm8g5rbEU8cwqAWfg0um2IvZc94WvGGQsh61HdpTmgSBex2:8hk1sJRxyxAgFRZc94QbQsGTmBKy

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3496
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2376
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:196
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.0.2033436807\665303088" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ad72157-66f1-4caf-b0c0-4f1fc5133bb4} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 1796 20899ec7e58 gpu
        3⤵
          PID:5008
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.1.1957859226\857455891" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24ffd8ac-b8dd-4829-a0ba-5eadbc5121f8} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 2152 20887b72e58 socket
          3⤵
            PID:2348
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.2.660635343\39053404" -childID 1 -isForBrowser -prefsHandle 3136 -prefMapHandle 3024 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b8588c4-19f9-426d-a9e7-9249e361f3e2} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 3012 2089e09a258 tab
            3⤵
              PID:4420
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.3.1646147821\1191406382" -childID 2 -isForBrowser -prefsHandle 3464 -prefMapHandle 3460 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d675d4df-2505-45a8-b5b0-687b6833e886} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 3060 20887b5df58 tab
              3⤵
                PID:1244
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.4.888272985\1037909243" -childID 3 -isForBrowser -prefsHandle 4328 -prefMapHandle 4324 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a7fe373-340f-4a81-abb8-a94734a831f9} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 4336 2089ffa7458 tab
                3⤵
                  PID:828
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.5.1454269611\217879537" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd662ab7-28d1-45b3-a434-d8900e46674d} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 4892 208a063fb58 tab
                  3⤵
                    PID:676
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.6.2126636875\2106430242" -childID 5 -isForBrowser -prefsHandle 4984 -prefMapHandle 4988 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8811e54-70b3-44f9-88d5-b8cdb654b172} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 4976 208a063fe58 tab
                    3⤵
                      PID:2448
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.7.1573441718\1663425558" -childID 6 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {743905dd-3428-4b97-919b-2648133ea39d} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5160 208a0cafd58 tab
                      3⤵
                        PID:2476
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2768.8.416235416\1510666788" -childID 7 -isForBrowser -prefsHandle 5556 -prefMapHandle 5204 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f456fed2-5cf3-46cb-9420-8d5d9998f278} 2768 "\\.\pipe\gecko-crash-server-pipe.2768" 5664 208a24c9758 tab
                        3⤵
                          PID:4580

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      6053aab100e8d92360eaef8b94864e32

                      SHA1

                      3eabd1bed4877241399cbe8072aee0a6071f82a0

                      SHA256

                      d36abb89ec7e1053e8d38a1aaed9dfb08e7a861fc7a8d15744dcbe3824ee93e4

                      SHA512

                      679f4c3692825f8cb6d409246b142b53edbaf4107e261d5659e8e581dfd13f41cce20f5142396ee0fec8df0bfa1eab8c8e2e5e0d171ac3db3a370aeb2625fcaa

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\3850f573-368a-46ea-9768-e44a745265f5
                      Filesize

                      11KB

                      MD5

                      6fdfc9afef3385d26ad4d8a765e60a65

                      SHA1

                      655b54b9e49e87ca8636817892088cf6e51f1194

                      SHA256

                      4731b9fd674a4495264516ef117904a3a3e8ddeb268baf8cb84787bb608cdea1

                      SHA512

                      d9f7760c030d60bfc5476f0c42581d1e4744430be72d003114bf73a3a65dda2d6a8c158bd4d59dd65e3dac61595f17d80d191bd3f90698e347b9f983dff41c1e

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\cf4df355-59e2-4cb0-923d-fec5622174a2
                      Filesize

                      746B

                      MD5

                      bf2480d02dacb20b28681b88bec752f5

                      SHA1

                      dd98f6d6fecb981d23e4c4d366b3e4a530799149

                      SHA256

                      fc9409ef66e6d3578f4b934ec7d6be5d7c8fdf2ad906476f58a25a603d8176d3

                      SHA512

                      4042db2bd8aab4ce2ed60d89bed25da00cc4d1fd17ae723c619f1f65b8dbc67af6653f03947805d6a90481830896444014f5b745e1cb2fb33a409f10d4ed095a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      4a18fffb6a40b04938e6cf2b7375b80a

                      SHA1

                      ed08a38d25697ce8bcb4c5b147c14d7668ade03a

                      SHA256

                      7f7da47d6a1b1101474733c90536752ddec65436da20dde32df0556c0e2e46ab

                      SHA512

                      88bd06a855ca54d614464e1ffa9b032c434209071e1ac97ea59a013b50d0cf391f1ef2f118911339f4489a0536394a32c825e5a0dd9fd46bc987282e72245ca5

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
                      Filesize

                      3KB

                      MD5

                      3df53142a6a5d7d117da272bdfdea000

                      SHA1

                      9fd9e880a68c5968302e1902bbd7a4bee0b82f3a

                      SHA256

                      a922f8f6f56885050c659de852e558221551a4051700226aaa79e149f9722f79

                      SHA512

                      ce68921ed52ce9e4408e7cf8be3df0e3bb2c61b1813fa69e2d0e3440ac181aef71ae8510e7d6bbbc2e12a745d811d0a7f749fe37d9df9f47222c4a1f250e5238

                      Download Submit

                    • memory/2376-10-0x0000000008600000-0x000000000864B000-memory.dmp

                      Filesize

                      300KB

                      Download

                    • memory/2376-14-0x00000000095E0000-0x0000000009656000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/2376-7-0x00000000084F0000-0x00000000085FA000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/2376-8-0x0000000008420000-0x0000000008432000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2376-9-0x0000000008480000-0x00000000084BE000-memory.dmp

                      Filesize

                      248KB

                      Download

                    • memory/2376-1-0x0000000000400000-0x00000000004A6000-memory.dmp

                      Filesize

                      664KB

                      Download

                    • memory/2376-13-0x00000000092B0000-0x0000000009316000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/2376-6-0x0000000008960000-0x0000000008F66000-memory.dmp

                      Filesize

                      6.0MB

                      Download

                    • memory/2376-15-0x00000000095C0000-0x00000000095DE000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/2376-16-0x0000000009F70000-0x000000000A132000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/2376-17-0x000000000A670000-0x000000000AB9C000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/2376-5-0x0000000005450000-0x000000000545A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2376-4-0x0000000005490000-0x0000000005522000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/2376-3-0x0000000005990000-0x0000000005E8E000-memory.dmp

                      Filesize

                      5.0MB

                      Download

                    • memory/2376-2-0x0000000073AAE000-0x0000000073AAF000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3496-0-0x0000000000B80000-0x0000000000B81000-memory.dmp

                      Filesize

                      4KB

                      Download