Analysis
-
max time kernel
32s -
max time network
26s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
02/08/2024, 21:39
General
-
Target
release8-2-24/release/main/loader.exe
-
Size
4.1MB
-
MD5
9ecdc9ed1bea6c226f92d740d43400b9
-
SHA1
b5b5066cd4284733d8c3f3d7de3ca6653091ae10
-
SHA256
60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c
-
SHA512
30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43
-
SSDEEP
98304:vnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUPj:PTn2qcUzp6UYeJRCxPj
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 11 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe"C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\release8-2-24\release\main\loader.exe" MD53⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffed085cc40,0x7ffed085cc4c,0x7ffed085cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2080,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2076 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2208 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1840,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2312 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3312,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,8253313017648898302,5862872662703919969,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3708 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CompleteImport.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD558614b9f527636b72056db818a6e3f94
SHA1f83ac1260bfd56719a4c9f26de71c714b67e48bb
SHA2564dfe08075aa92e249f47310f804615259317fa005a529fbf885c1d535b6d360e
SHA512a313857bfd1a14da3a4e28b174e135d43184bffba82b5a601e63388f92fdf7ff7dc29f2c0c1deacddb6b8c9901628d3bfbd7ba3535ee270cbe45c89e5aa93c8b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD55d36b572b8305f9b050372f2b5e7715e
SHA160018732339439879e639352c670e5fb5f76c0d7
SHA25641fb5b7e1025fa79f823b511583696e3cb584a25865bdf299a09d68c368f7965
SHA512eb221b9ddb3374fe53865a69d4b68447e2c5c23afa87c0518c8188f5595d50b1d243c036115a6eea2460794a3ca1d0f5373c84fc66184e4c5033eabb5048b16f
-
Filesize
8KB
MD593c5fdf0b016d20251460efc240f2f7d
SHA1ed61476db2fd1ee18940b6cd6e0ce5532a2657d4
SHA2560b9e227769078e6536b1b6b6a4b305e1f0bb984589cc7a0eba720b2fd2837a44
SHA512809a6fbddcb621d4253498e741c2e389907a48f062f4e630fde82260891efbaa7713f55769b9457c3838b61677a8ea8d8ac432b21d00c95e035b9d0ffbe7ae07
-
Filesize
99KB
MD59e3eabe604b32eb5f198fe364cb6b315
SHA19b09f3c36921572acaf5deadc372a7c5a00f66a1
SHA2561a4aabc7a403120a0ce9485d1b808bf13ac89f7c2cd3b174c3bfb63eb6ec833c
SHA5129665b66db94f419cb0095d3b2f420f7ae762c084a2f354a36b2469c189cc9de265ce9c9f86f7c5d773009a0e09b97f03e0f1d2ffe9affe133c7420672a23e39d
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
8KB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB
-
Filesize
10.6MB