3c4da1db936b6a740a0701f364ccd3a5d2bcc5f3a8a934a10e68f13e829476ec

Resubmissions

05/09/2024, 02:25

240905-cwq62a1fkl 9

05/09/2024, 02:09

240905-clafja1drk 9

Analysis

max time kernel
80s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 02:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

12.5MB
MD5

06ab7010e847a1c3a567c1f9e14452bd
SHA1

593b4240fe2bfaa21de8a554bc93c0b5be11ab30
SHA256

3c4da1db936b6a740a0701f364ccd3a5d2bcc5f3a8a934a10e68f13e829476ec
SHA512

3b7be983404b18912ed844a8aac097d6156c9f957c32874e525efd17a8a0b990bbb69f33f7056d9f71c53000f46f45b5cc1506f8b76b03f6bfca8b67f4d634d1
SSDEEP

393216:Pw//lRv1JAhFnEjxpXaBkdoNGhEsnYxqZVmchA:o3lyhMpXaids8RnaR

Score

9^/10

evasion execution persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
592	Loader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
400	sc.exe
1552	sc.exe
2612	sc.exe
1664	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe
592	Loader.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 1964	592	Loader.exe	89
PID 592 wrote to memory of 1964	592	Loader.exe	89
PID 1964 wrote to memory of 1664	1964	cmd.exe	91
PID 1964 wrote to memory of 1664	1964	cmd.exe	91
PID 592 wrote to memory of 4540	592	Loader.exe	92
PID 592 wrote to memory of 4540	592	Loader.exe	92
PID 4540 wrote to memory of 400	4540	cmd.exe	94
PID 4540 wrote to memory of 400	4540	cmd.exe	94
PID 592 wrote to memory of 1624	592	Loader.exe	95
PID 592 wrote to memory of 1624	592	Loader.exe	95
PID 592 wrote to memory of 3592	592	Loader.exe	96
PID 592 wrote to memory of 3592	592	Loader.exe	96
PID 592 wrote to memory of 4744	592	Loader.exe	99
PID 592 wrote to memory of 4744	592	Loader.exe	99
PID 4744 wrote to memory of 116	4744	cmd.exe	100
PID 4744 wrote to memory of 116	4744	cmd.exe	100
PID 4744 wrote to memory of 3112	4744	cmd.exe	101
PID 4744 wrote to memory of 3112	4744	cmd.exe	101
PID 4744 wrote to memory of 3092	4744	cmd.exe	102
PID 4744 wrote to memory of 3092	4744	cmd.exe	102
PID 1624 wrote to memory of 2612	1624	cmd.exe	103
PID 1624 wrote to memory of 2612	1624	cmd.exe	103
PID 3592 wrote to memory of 1552	3592	cmd.exe	104
PID 3592 wrote to memory of 1552	3592	cmd.exe	104
PID 592 wrote to memory of 4424	592	Loader.exe	107
PID 592 wrote to memory of 4424	592	Loader.exe	107
PID 592 wrote to memory of 2044	592	Loader.exe	108
PID 592 wrote to memory of 2044	592	Loader.exe	108

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
    3⤵
    PID:116
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3112
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-0-0x0000000140000000-0x0000000141C8C000-memory.dmp

Filesize
28.5MB

Download
memory/592-3-0x0000000140000000-0x0000000141C8C000-memory.dmp

Filesize
28.5MB

Download
memory/592-1-0x0000000140000000-0x0000000141C8C000-memory.dmp

Filesize
28.5MB

Download
memory/592-2-0x00007FFEC8090000-0x00007FFEC8092000-memory.dmp

Filesize
8KB

Download
memory/592-4-0x0000000140000000-0x0000000141C8C000-memory.dmp

Filesize
28.5MB

Download
memory/592-16-0x0000000140000000-0x0000000141C8C000-memory.dmp

Filesize
28.5MB

Download