Overview

overview

10

Static

static

3

Loader.exe

windows7-x64

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05-09-2024 06:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    3.2MB

  • MD5

    06dcb15ae610d9451fb568bc536069ee

  • SHA1

    611af21b221bd004e7546d2603793de501b4f38d

  • SHA256

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

  • SHA512

    9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb

  • SSDEEP

    49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x

Score
10/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1976
    • \??\c:\users\admin\appdata\local\temp\loader.exe 
      c:\users\admin\appdata\local\temp\loader.exe 
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2348
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 16380
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2192
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2688
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2804
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1036
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2764
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2624
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:29 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1524
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:30 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:440
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 06:31 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1960
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2220

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    2
    T1112

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    4
    T1012

    System Information Discovery

    2
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    2
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\loader.exe 
      Filesize

      3.1MB

      MD5

      0c33284728a138decf9bf5229bc1272a

      SHA1

      41bac3740aee663620d82503e7dda4cd3f564eb7

      SHA256

      ad013bc1676f0fb7f9dd576d5d96e4b121770756abeb70379e01d0003dca8681

      SHA512

      0c9a0647418ffdf03ca31db1fbe7152a301953d1fe9a7115f18271c4690ed72af0e2b0acf9f6ad05234e6faa7cba759d815435cb67536a1253f1959a953a6622

      Download Submit

    • C:\Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      6da9ff31994755b2da5728dc6fad7d44

      SHA1

      681d8bb408019be01b1a881d7251aa20911ced58

      SHA256

      76ce927dc9c90fda33a2ab8ce5f8219c28a819a61ee2a606caa4ecea370e6d24

      SHA512

      b5d2e5b0df9d42b91118175fb3899f037b049ea9440e89f971ad7973d231186995ecb392ba95fdf1e03eea88b36d10fe632819e9c0c81c3f9de4d8c9f271814e

      Download Submit

    • \Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      a082983f3d6f012f8b211bcac9df371d

      SHA1

      8f13e36f5ec891cf4eccfc77694b6268f50f07d9

      SHA256

      9a45fb25503111878442721305dfd9f5c9bd9cf3e60e1d5b5e9c754b48166253

      SHA512

      b5d3c96efb0d84ee4d7c968ea90d7c75b8203667ea9beaa655e6507f03d146e5fccbfb45561559085fdba9e016c645959f6e510cb8a43a351aa4ac856253b04a

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      eca051c60a9c1100c2ebef10c350da59

      SHA1

      b57d7d2003645f00d5a3ca35c259c65d03d8466a

      SHA256

      e453341d7f406c1efe42bde0329b7e0096356b828f876ec440b068b9dda05e61

      SHA512

      400957fe562041a7498353a04f714c5c8ad0185e963501d183d682a19ea7379b3caed97cb6e2e302d3be4266b28ed7c62ff8722a9b8aac5dec4051ce301bb772

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      e3e1927a2807ef325a1218345788f664

      SHA1

      a4cc77294ae886d595f775be21b34fa70040b05b

      SHA256

      6df0d52d0d578ad483d1a04c83f5d1684d07fb704a0d37a80ed8c982a8ed3e34

      SHA512

      edc8f89d3342decc370b647f3e6579e185acc68ac5b5dc962cfa340e4c21e7d52c29ccb8c98ce8bb6f2c2ea57ed0f267b27676315e303626c1b68ac840fb8fb2

      Download Submit

    • memory/1036-64-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1036-50-0x00000000002C0000-0x00000000002DF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1976-65-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1976-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2348-40-0x00000000748CE000-0x00000000748CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2348-12-0x0000000000CB0000-0x0000000000FCA000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2348-14-0x0000000005160000-0x00000000052CA000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2348-13-0x00000000748C0000-0x0000000074FAE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2348-61-0x00000000748C0000-0x0000000074FAE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2348-72-0x00000000748C0000-0x0000000074FAE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2348-11-0x00000000748CE000-0x00000000748CF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2624-63-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2688-28-0x00000000003C0000-0x00000000003DF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2688-66-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2764-62-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2764-74-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2764-75-0x0000000000270000-0x000000000028F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2804-73-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download