5ef898e120cefd46934f16b4fbadc268e1c50f37ff58a1b3e47cb70e6353f27e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader (1).exe
Size

13.3MB
MD5

982279b044cacd5ed5495996c4561526
SHA1

522e37a0749df894453f84c1c1574baf96da2181
SHA256

5ef898e120cefd46934f16b4fbadc268e1c50f37ff58a1b3e47cb70e6353f27e
SHA512

d3346a858a16f13c03a2da963d08364b0cfc1a1f6e76714aab28141ecec0ef0d9735cec7e0a75da1e27841a820a3b9e166f3efabc2934664909e3d2c2259cbd2
SSDEEP

393216:IFQmAULmh+9jDv0qHaECkJ/CsNv5eEYDL:rULmsVHaERJ/XvYzP

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader (1).exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader (1).exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader (1).exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader (1).exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader (1).exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader (1).exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader (1).exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader (1).exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader (1).exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
860	Loader (1).exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader (1).exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader (1).exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader (1).exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader (1).exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe
860	Loader (1).exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
860	Loader (1).exe

C:\Users\Admin\AppData\Local\Temp\Loader (1).exe
"C:\Users\Admin\AppData\Local\Temp\Loader (1).exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-0-0x0000000140000000-0x0000000141DF1000-memory.dmp

Filesize
29.9MB

Download
memory/860-2-0x00007FFB14C30000-0x00007FFB14C32000-memory.dmp

Filesize
8KB

Download
memory/860-1-0x0000000140000000-0x0000000141DF1000-memory.dmp

Filesize
29.9MB

Download
memory/860-3-0x0000000140000000-0x0000000141DF1000-memory.dmp

Filesize
29.9MB

Download
memory/860-4-0x0000000140000000-0x0000000141DF1000-memory.dmp

Filesize
29.9MB

Download
memory/860-5-0x0000000140000000-0x0000000141DF1000-memory.dmp

Filesize
29.9MB

Download