77dc213ba8d1c31a3dcffb1195716a68ba077392f1ed0d9c9dd2c38dbb229458

General

Target

Loader.exe
Size

20.9MB
MD5

0d69a0c8a36cb686c159ef0da8e736be
SHA1

1257ed7d6cbc48ee0e3fe927af91c33db334c03a
SHA256

77dc213ba8d1c31a3dcffb1195716a68ba077392f1ed0d9c9dd2c38dbb229458
SHA512

b4d8b5a780189ec245ca3270f5aae6114406ac37d5dfc453e202323fc321956b1d11b92c361787440f02295d4f6d180aa1b69b0a18959127d76106bc5f5cd575
SSDEEP

393216:EhUhQ430ckp6baE15lkv/okhuIeOF87iaf5314kpYL8iAh2dhdzGoIfqsA:EyhQI0d9E15ivO8ylYLFh+CB

Score

9^/10

evasion execution persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\IME\SHARED\namef.ini	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2728	Loader.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2736	sc.exe
2972	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe
2728	Loader.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2896	2728	Loader.exe	31
PID 2728 wrote to memory of 2896	2728	Loader.exe	31
PID 2728 wrote to memory of 2896	2728	Loader.exe	31
PID 2728 wrote to memory of 2772	2728	Loader.exe	32
PID 2728 wrote to memory of 2772	2728	Loader.exe	32
PID 2728 wrote to memory of 2772	2728	Loader.exe	32
PID 2728 wrote to memory of 2624	2728	Loader.exe	33
PID 2728 wrote to memory of 2624	2728	Loader.exe	33
PID 2728 wrote to memory of 2624	2728	Loader.exe	33
PID 2624 wrote to memory of 2736	2624	cmd.exe	35
PID 2624 wrote to memory of 2736	2624	cmd.exe	35
PID 2624 wrote to memory of 2736	2624	cmd.exe	35
PID 2728 wrote to memory of 2904	2728	Loader.exe	36
PID 2728 wrote to memory of 2904	2728	Loader.exe	36
PID 2728 wrote to memory of 2904	2728	Loader.exe	36
PID 2728 wrote to memory of 2112	2728	Loader.exe	37
PID 2728 wrote to memory of 2112	2728	Loader.exe	37
PID 2728 wrote to memory of 2112	2728	Loader.exe	37
PID 2112 wrote to memory of 2972	2112	cmd.exe	39
PID 2112 wrote to memory of 2972	2112	cmd.exe	39
PID 2112 wrote to memory of 2972	2112	cmd.exe	39
PID 2728 wrote to memory of 2340	2728	Loader.exe	40
PID 2728 wrote to memory of 2340	2728	Loader.exe	40
PID 2728 wrote to memory of 2340	2728	Loader.exe	40

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:2972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-1-0x0000000077280000-0x0000000077282000-memory.dmp

Filesize
8KB

Download
memory/2728-0-0x0000000140000000-0x0000000142F66000-memory.dmp

Filesize
47.4MB

Download
memory/2728-2-0x0000000140000000-0x0000000142F66000-memory.dmp

Filesize
47.4MB

Download
memory/2728-3-0x0000000140000000-0x0000000142F66000-memory.dmp

Filesize
47.4MB

Download
memory/2728-4-0x0000000140000000-0x0000000142F66000-memory.dmp

Filesize
47.4MB

Download
memory/2728-10-0x0000000140000000-0x0000000142F66000-memory.dmp

Filesize
47.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads