Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 08:06
Behavioral task
behavioral1
Sample
Loader 3.0.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Loader 3.0.exe
Resource
win10-20240404-en
windows10-1703-x64
Behavioral task
behavioral3
Sample
Loader 3.0.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
Loader 3.0.exe
Resource
win11-20240709-en
windows11-21h2-x64
General
-
Target
Loader 3.0.exe
-
Size
147KB
-
MD5
ff4cd364323fc2048c35783a38070aef
-
SHA1
4736172dd07a3a196343b94dd56b4e4edc0f2bce
-
SHA256
6dd7522accb6773bade16720b53ca577574defae5b1c7caf4b7fc6826dfed7e7
-
SHA512
c72b07b78ccbcfad14fa9f7bc3e8a086c29969b4f7f30dbe57a1a173cd82d61a20bf5ead0bc7b627d5d7f7f0def71710e2ce09590be7a886ad6c9414981eb961
-
SSDEEP
1536:FzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDEtDyI4njdbJBGCkmsQwvB6jr4j:GqJogYkcSNm9V7Dk4F91qYUrnbT
Malware Config
Signatures
-
Renames multiple (655) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
E37B.tmpdescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation E37B.tmp -
Deletes itself 1 IoCs
Processes:
E37B.tmppid Process 2060 E37B.tmp -
Executes dropped EXE 1 IoCs
Processes:
E37B.tmppid Process 2060 E37B.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 2 IoCs
Processes:
Loader 3.0.exedescription ioc Process File opened for modification C:\$Recycle.Bin\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini Loader 3.0.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-47134698-4092160662-1261813102-1000\desktop.ini Loader 3.0.exe -
Drops file in System32 directory 4 IoCs
Processes:
splwow64.exeprintfilterpipelinesvc.exedescription ioc Process File created C:\Windows\system32\spool\PRINTERS\00002.SPL splwow64.exe File created C:\Windows\system32\spool\PRINTERS\PPj4u_g4xf4rclwbrbx7q2xrk7c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPo8kbj_qtv07d2p85bbyob3o0c.TMP printfilterpipelinesvc.exe File created C:\Windows\system32\spool\PRINTERS\PPw50l40njmanatnynuomhssf5b.TMP printfilterpipelinesvc.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
Loader 3.0.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp" Loader 3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Jw5Jgl9mC.bmp" Loader 3.0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
E37B.tmppid Process 2060 E37B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
ONENOTE.EXEdescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ONENOTE.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ONENOTE.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
ONENOTE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily ONENOTE.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ONENOTE.EXE -
Modifies Control Panel 2 IoCs
Processes:
Loader 3.0.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop Loader 3.0.exe Set value (str) \REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\Desktop\WallpaperStyle = "10" Loader 3.0.exe -
Modifies registry class 5 IoCs
Processes:
Loader 3.0.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC Loader 3.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Jw5Jgl9mC\ = "Jw5Jgl9mC" Loader 3.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon Loader 3.0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC Loader 3.0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Jw5Jgl9mC\DefaultIcon\ = "C:\\ProgramData\\Jw5Jgl9mC.ico" Loader 3.0.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Loader 3.0.exepid Process 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe 1712 Loader 3.0.exe -
Suspicious behavior: RenamesItself 26 IoCs
Processes:
E37B.tmppid Process 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp 2060 E37B.tmp -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Loader 3.0.exedescription pid Process Token: SeAssignPrimaryTokenPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeDebugPrivilege 1712 Loader 3.0.exe Token: 36 1712 Loader 3.0.exe Token: SeImpersonatePrivilege 1712 Loader 3.0.exe Token: SeIncBasePriorityPrivilege 1712 Loader 3.0.exe Token: SeIncreaseQuotaPrivilege 1712 Loader 3.0.exe Token: 33 1712 Loader 3.0.exe Token: SeManageVolumePrivilege 1712 Loader 3.0.exe Token: SeProfSingleProcessPrivilege 1712 Loader 3.0.exe Token: SeRestorePrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSystemProfilePrivilege 1712 Loader 3.0.exe Token: SeTakeOwnershipPrivilege 1712 Loader 3.0.exe Token: SeShutdownPrivilege 1712 Loader 3.0.exe Token: SeDebugPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeBackupPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe Token: SeSecurityPrivilege 1712 Loader 3.0.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
ONENOTE.EXEpid Process 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE 3636 ONENOTE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Loader 3.0.exeprintfilterpipelinesvc.exeE37B.tmpdescription pid Process procid_target PID 1712 wrote to memory of 900 1712 Loader 3.0.exe 89 PID 1712 wrote to memory of 900 1712 Loader 3.0.exe 89 PID 5104 wrote to memory of 3636 5104 printfilterpipelinesvc.exe 92 PID 5104 wrote to memory of 3636 5104 printfilterpipelinesvc.exe 92 PID 1712 wrote to memory of 2060 1712 Loader 3.0.exe 93 PID 1712 wrote to memory of 2060 1712 Loader 3.0.exe 93 PID 1712 wrote to memory of 2060 1712 Loader 3.0.exe 93 PID 1712 wrote to memory of 2060 1712 Loader 3.0.exe 93 PID 2060 wrote to memory of 4716 2060 E37B.tmp 94 PID 2060 wrote to memory of 4716 2060 E37B.tmp 94 PID 2060 wrote to memory of 4716 2060 E37B.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe"C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe"1⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
- Drops file in System32 directory
PID:900
-
-
C:\ProgramData\E37B.tmp"C:\ProgramData\E37B.tmp"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\E37B.tmp >> NUL3⤵PID:4716
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3700
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE/insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{BEE2442A-02B3-473A-877C-2B98F9ECCDEA}.xps" 1336550440433900002⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:3636
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5f1ed2fec40d58950bd70516152858dac
SHA135ecdc6022e8edfab0ab17dbfde90fd76b1d1b57
SHA2563bec15205a80275a6807416bf8375abc50266e10dae12755dd92dc0603d1788e
SHA5123573ad6b5df46e8c4894066f180ef12459c3501d502fdb372df154b7152536b5130104f74a43ad2c8657ac2f433ef5a4f008bcd2bf59c4ce30a64f8b24b4dbbd
-
Filesize
1KB
MD58b28296a2c168d86adbafc888d0f95f0
SHA149d6b109bf24f39c2c0f62c0796b8693c0bd99e5
SHA2567b3daacf846fe79840647e67d9c5226a7fda47d5b32c24d874654e8ff78ffcc9
SHA512b0f0e0a6f2962250c3b9f87637854756e7a0fcde561aae14654d0dcd1e1013876442c0354e41c5bc8e3ef57f170ac2073874ff22fdc5656f62f930350f9df6ac
-
Filesize
14KB
MD5294e9f64cb1642dd89229fff0592856b
SHA197b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf
-
Filesize
147KB
MD559e5a822a4188ceace98691f3c05c826
SHA11ae98082110c7130d1717ccc3d565ed01341f064
SHA25617d6f49e5fddb6b67b528e1e1f00a4f0bba2e38b770c6e869c20cac2911aa534
SHA512b271d503e4d9703071c70b160380ced0948ebbede783fc0580d30de93154eebbab50322a016eefb7610e2ad5ab520670ff6d8f3533d4ee19b398567a23f1ce02
-
Filesize
4KB
MD5141f06ccac15819661b4b9ee7ed2400f
SHA1bc79df6107f872d656ca9f66f1048eb78e713549
SHA2567075a47a7e161f53a53cb69ce1c25f368b1a86d1a667e8e92861dbb2bc9e6693
SHA5128cc21467dd1a3f93be1848a075de788d4a4d57d11103290a1d3a40cde7786782c6e481f769399590131324d21095832341078c76ad9b6501ca008bccea5408a3
-
Filesize
4KB
MD5dcf80982ddeee8822eb72527d19f4809
SHA1ef262b723d693175f74dfbce80bb47d4598161fc
SHA256984b2e6e4e33841124a8a62adbd64ce1fea2581d73d4ff98de8127619c685bd6
SHA512c1279248795a8debc7454c09a7c60ec5650debcfb9dd8d08e41396cd696f35baac8b7e89d5261646bfdc406cffdb8f22854589180e8eab38f228aa2d68c7c2a1
-
Filesize
129B
MD59cc6bbae6bc3753a8b127a99170090d4
SHA128c7a9ab96ac5e5d56f9cc6cc8c1b7d2becfe285
SHA2561e4e103ac59c89b7d275ce37535ca97a68993d45f7d20d1644b08555e70f62ad
SHA512a04323f09421692db28323387ccbd79dd120bf559cd0b5068d185673af68220ac4d495cede1ff3eadc6533820297cd056261155aff9cd33d5eeef5a259906e33