Overview

overview

8

Static

static

3

loader.exe

windows7-x64

8

loader.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    7s
  • max time network
    2s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09/07/2024, 07:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    16.3MB

  • MD5

    edc8dc2a71af650c1c6272efa564adc3

  • SHA1

    697581b70bf91793b76f61a60acec8fc764b1679

  • SHA256

    18f456bc4bc4f55266f7456bfabe1f343560b6a59a3f5a68e995a34c0563a760

  • SHA512

    5509c9d4bbd2ccc5d5bf432df572b7840091a7d7fd8365ceff5acb04d7ad728bd13e750d08d2216034a773e019c7a7a382eee96be8e0f69b1b98714e93a96fd8

  • SSDEEP

    393216:8htgAGCnsGz3SN1Xg97zShawHV+Cck7hHV:+6AD53SbkzQawHb9pV

Score
8/10
evasionexecutionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Drops file in Drivers directory 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:432
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
      • Sets service image path in registry
      PID:476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch
        2⤵
          PID:612
          • C:\Windows\system32\wbem\wmiprvse.exe
            C:\Windows\system32\wbem\wmiprvse.exe
            3⤵
              PID:1244
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              3⤵
                PID:864
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k RPCSS
              2⤵
                PID:692
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                2⤵
                  PID:776
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                  2⤵
                    PID:820
                    • C:\Windows\system32\Dwm.exe
                      "C:\Windows\system32\Dwm.exe"
                      3⤵
                        PID:1176
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs
                      2⤵
                        PID:856
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService
                        2⤵
                          PID:980
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k NetworkService
                          2⤵
                            PID:280
                          • C:\Windows\System32\spoolsv.exe
                            C:\Windows\System32\spoolsv.exe
                            2⤵
                              PID:396
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                              2⤵
                                PID:1080
                              • C:\Windows\system32\taskhost.exe
                                "taskhost.exe"
                                2⤵
                                  PID:1116
                                • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
                                  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
                                  2⤵
                                    PID:2024
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    2⤵
                                      PID:2284
                                    • C:\Windows\system32\sppsvc.exe
                                      C:\Windows\system32\sppsvc.exe
                                      2⤵
                                        PID:3008
                                      • C:\ProgramData\WindowsServices\WindowsAutHost
                                        C:\ProgramData\WindowsServices\WindowsAutHost
                                        2⤵
                                          PID:844
                                          • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                            C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                            3⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            PID:652
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                            3⤵
                                              PID:1056
                                              • C:\Windows\system32\wusa.exe
                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                4⤵
                                                  PID:1940
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop UsoSvc
                                                3⤵
                                                • Launches sc.exe
                                                PID:1040
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                3⤵
                                                • Launches sc.exe
                                                PID:2060
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop wuauserv
                                                3⤵
                                                • Launches sc.exe
                                                PID:1740
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop bits
                                                3⤵
                                                • Launches sc.exe
                                                PID:1284
                                              • C:\Windows\system32\sc.exe
                                                C:\Windows\system32\sc.exe stop dosvc
                                                3⤵
                                                • Launches sc.exe
                                                PID:2392
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                3⤵
                                                • Power Settings
                                                PID:2280
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                3⤵
                                                • Power Settings
                                                PID:344
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                3⤵
                                                • Power Settings
                                                PID:1712
                                              • C:\Windows\system32\powercfg.exe
                                                C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                3⤵
                                                • Power Settings
                                                PID:1992
                                              • C:\Windows\system32\dialer.exe
                                                C:\Windows\system32\dialer.exe
                                                3⤵
                                                  PID:1724
                                                • C:\Windows\system32\dialer.exe
                                                  C:\Windows\system32\dialer.exe
                                                  3⤵
                                                    PID:2784
                                                  • C:\Windows\system32\dialer.exe
                                                    dialer.exe
                                                    3⤵
                                                      PID:1232
                                                • C:\Windows\system32\lsass.exe
                                                  C:\Windows\system32\lsass.exe
                                                  1⤵
                                                    PID:492
                                                  • C:\Windows\system32\lsm.exe
                                                    C:\Windows\system32\lsm.exe
                                                    1⤵
                                                      PID:500
                                                    • C:\Windows\Explorer.EXE
                                                      C:\Windows\Explorer.EXE
                                                      1⤵
                                                        PID:1212
                                                        • C:\Users\Admin\AppData\Local\Temp\loader.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\loader.exe"
                                                          2⤵
                                                          • Loads dropped DLL
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:2216
                                                          • C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\4356897439864370634.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\4356897439864370634.exe"
                                                            3⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:2780
                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 108
                                                              4⤵
                                                              • Loads dropped DLL
                                                              • Program crash
                                                              PID:1164
                                                          • C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\Installer.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\Installer.exe"
                                                            3⤵
                                                            • Drops file in Drivers directory
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • Suspicious use of SetThreadContext
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:2840
                                                            • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                                                              C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                                                              4⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Drops file in System32 directory
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2548
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                                                              4⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:3060
                                                              • C:\Windows\system32\wusa.exe
                                                                wusa /uninstall /kb:890830 /quiet /norestart
                                                                5⤵
                                                                • Drops file in Windows directory
                                                                PID:2864
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe stop UsoSvc
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:1868
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe stop WaaSMedicSvc
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:2880
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe stop wuauserv
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:2756
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe stop bits
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:3016
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe stop dosvc
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:608
                                                            • C:\Windows\system32\powercfg.exe
                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                                                              4⤵
                                                              • Power Settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1984
                                                            • C:\Windows\system32\powercfg.exe
                                                              C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                                                              4⤵
                                                              • Power Settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2428
                                                            • C:\Windows\system32\powercfg.exe
                                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                                                              4⤵
                                                              • Power Settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:796
                                                            • C:\Windows\system32\powercfg.exe
                                                              C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                                                              4⤵
                                                              • Power Settings
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:588
                                                            • C:\Windows\system32\dialer.exe
                                                              C:\Windows\system32\dialer.exe
                                                              4⤵
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:1588
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe delete "WindowsAutHost"
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:1596
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:1480
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe stop eventlog
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:2908
                                                            • C:\Windows\system32\sc.exe
                                                              C:\Windows\system32\sc.exe start "WindowsAutHost"
                                                              4⤵
                                                              • Launches sc.exe
                                                              PID:2880
                                                      • C:\Windows\system32\conhost.exe
                                                        \??\C:\Windows\system32\conhost.exe "-1931345662477974990-7173449931332575283-1665982043816384525-1468136141-1642227534"
                                                        1⤵
                                                          PID:700
                                                        • C:\Windows\system32\conhost.exe
                                                          \??\C:\Windows\system32\conhost.exe "-1148592147-455859060-112744601696925100-99071458918593316381423402522068681117"
                                                          1⤵
                                                            PID:1048
                                                          • C:\Windows\system32\conhost.exe
                                                            \??\C:\Windows\system32\conhost.exe "1152149095-1942072496-11293801583495113507335219921105280871842252919738612257"
                                                            1⤵
                                                              PID:2592
                                                            • C:\Windows\system32\conhost.exe
                                                              \??\C:\Windows\system32\conhost.exe "607859106596361585489313496-1227635560-19565512531028571841-335847076-924547537"
                                                              1⤵
                                                                PID:2520

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\4356897439864370634.exe
                                                                Filesize

                                                                665KB

                                                                MD5

                                                                5ea30ed7a18cb503c64c9589f415015a

                                                                SHA1

                                                                70d8f3cba897af921d246c7d90adce2f479328fd

                                                                SHA256

                                                                1c0c5aabfd797fd5978df8e5b992946f6f3099b987629c20e77f3ef581579c65

                                                                SHA512

                                                                b5b75eb6a37161e97372ca04839a53d35b2594941268e80442bb954c489e3611634900df322161792d6da80e51dadb9623760a4c93a022fc21e3eafce07dd1f1

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\Installer.exe
                                                                Filesize

                                                                16.7MB

                                                                MD5

                                                                e760e50cc4cb2488fd59a59a064ee1b1

                                                                SHA1

                                                                30c7f6c5ec103cd2847081f1fd10340f3157ff29

                                                                SHA256

                                                                8f4c6d8591e9a44782191ceb7bc031f710e9d5e03bdf3353aa080bb58474cf2d

                                                                SHA512

                                                                ac8018b0eb5ad05eb4921dd8c491118eadc9f02c70ee7e76d72849cde9630b3f0c89ccf7c3fabe9af1d589d5406f8accc5c446b5c584c19ff64bd62c6f87278e

                                                                Download Submit

                                                              • C:\Windows\system32\drivers\etc\hosts
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                f7892522ff70f44411dd60ed28638405

                                                                SHA1

                                                                ab16eb12875ff707bb10949670a2b6d6659b41c5

                                                                SHA256

                                                                32f44736ff15641ef054638c865384fcc4de2ac5bccc6bb123f19b55bd90d522

                                                                SHA512

                                                                d4e5c97a84d5202044c2c7739a6a75ab6c4ff70efaed2af4789c9fcc278ce39b064f280de93a61b638b626ab40a25b1d110253244807704601456791c1384bdc

                                                                Download Submit

                                                              • memory/432-90-0x000007FEBE340000-0x000007FEBE350000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/432-91-0x0000000036EE0000-0x0000000036EF0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/432-53-0x0000000000BF0000-0x0000000000C14000-memory.dmp

                                                                Filesize

                                                                144KB

                                                                Download

                                                              • memory/432-55-0x0000000000BF0000-0x0000000000C14000-memory.dmp

                                                                Filesize

                                                                144KB

                                                                Download

                                                              • memory/432-56-0x0000000000F00000-0x0000000000F2B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/476-60-0x0000000000CA0000-0x0000000000CCB000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/476-61-0x000007FEBE340000-0x000007FEBE350000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/476-62-0x0000000036EE0000-0x0000000036EF0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/492-98-0x0000000036EE0000-0x0000000036EF0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/492-94-0x00000000000A0000-0x00000000000CB000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/492-96-0x000007FEBE340000-0x000007FEBE350000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/652-336-0x000000001A190000-0x000000001A472000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/652-337-0x00000000009A0000-0x00000000009A8000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/1588-50-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/1588-45-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/1588-49-0x0000000076C80000-0x0000000076D9F000-memory.dmp

                                                                Filesize

                                                                1.1MB

                                                                Download

                                                              • memory/1588-47-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/1588-42-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/1588-43-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/1588-44-0x0000000140000000-0x000000014002B000-memory.dmp

                                                                Filesize

                                                                172KB

                                                                Download

                                                              • memory/1588-48-0x0000000076EA0000-0x0000000077049000-memory.dmp

                                                                Filesize

                                                                1.7MB

                                                                Download

                                                              • memory/2548-40-0x0000000002850000-0x0000000002858000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/2548-39-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

                                                                Filesize

                                                                2.9MB

                                                                Download

                                                              • memory/2780-23-0x0000000000070000-0x0000000000071000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2840-33-0x000000013F730000-0x0000000141479000-memory.dmp

                                                                Filesize

                                                                29.3MB

                                                                Download

                                                              • memory/2840-31-0x0000000077050000-0x0000000077052000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2840-27-0x0000000077050000-0x0000000077052000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2840-29-0x0000000077050000-0x0000000077052000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download