Analysis
-
max time kernel
108s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 08:47
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win10v2004-20240709-en
General
-
Target
Loader.exe
-
Size
9.2MB
-
MD5
8e4bc9547894a5ede75a2bd4235a8fb9
-
SHA1
794f7e9856e5024bcce49c1ce5415ee70abfdb88
-
SHA256
ede32cc0261506b8e6fffd357c22b175ce5a45a2de83f65b49d4484ec0e969f5
-
SHA512
6ed8462f58af3bbdff9451d659f93b8214db5912f2045d483d4a8278114633d07f76a78c1ee8b4661f858ae5730a7a175d0554c3e1d672ccfb603c74a4bec03d
-
SSDEEP
196608:6rltiwhW9T7MdeNBn6hKmXoBiibJkuJU1WcaonK+i7:Q+90deNBnYYBHyEcaI3i
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1267250103538810911/_8BMipnmgDV4n-Uu_YmzeHrxrFFQPSAoBBDlwlDVhsDsk_31uQMADxZw-pq563wCO5KV
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation Loader.exe -
Executes dropped EXE 1 IoCs
pid Process 2468 fixer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 freegeoip.app 7 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 fixer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier fixer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 fixer.exe 2468 fixer.exe 2468 fixer.exe 2468 fixer.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2808 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2468 fixer.exe Token: SeDebugPrivilege 2808 taskmgr.exe Token: SeSystemProfilePrivilege 2808 taskmgr.exe Token: SeCreateGlobalPrivilege 2808 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe 2808 taskmgr.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3680 wrote to memory of 3520 3680 Loader.exe 87 PID 3680 wrote to memory of 3520 3680 Loader.exe 87 PID 3680 wrote to memory of 2468 3680 Loader.exe 88 PID 3680 wrote to memory of 2468 3680 Loader.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵PID:3520
-
-
C:\Users\Admin\AppData\Local\Temp\fixer.exe"C:\Users\Admin\AppData\Local\Temp\fixer.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c6f14ec20f955e829bf5f935c13780a0
SHA104d8be62a353a1f6ffcb5b374acdc7cd37a4c334
SHA2567fc26c6d39b115aa7d7f5f286f9d5a246086d50e17e1b67fa0cdde71a0fa0f30
SHA5128ad64b33e8755c6ccce7541d2e150b4bb34d98ffa3fa4adf8c2d9b1951cb057b38eb662caa0471c7adc8c9e5f47189b3dbafc22a0796124131846450a9197e85
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
274KB
MD588505913c2c75f796c9a021aab2d356d
SHA15b5c06998d3e200c21c77ea4efaeaecdc7344e78
SHA25662e414e990e80c8203955b0e32948ddc64903b80a462c339f1babfb03e641204
SHA5126fa46be04c2693ea164fe52ddf3cca0bdafd1ab34d8c0f1c2bf3d361c6042f45375343f59e9474ded6718f8177a4f7eb19fddccd95f7fbb87aad12358b2d6905