Analysis

  • max time kernel
    35s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 05:24

Errors

Reason
Machine shutdown

General

  • Target

    Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/Windows_Loader_2.2.exe

  • Size

    2.1MB

  • MD5

    31f120258fffd9b600da0110a286a71d

  • SHA1

    946355ed4fa48d392a572d0eecb380125531f290

  • SHA256

    1527c10324e252a939e1f6ef4d62b532f4adb486e6a88cc1e8a36a3274b98c0f

  • SHA512

    ec164d3df1e80da59ef549941b0998bc555d312cfd23d4c080cf280bb3103eff0fb7b55c3de4cc660627beb1b9ffeb3877ce08d9eed0a5ca4c2ed43550098be3

  • SSDEEP

    49152:9QMSvjMQ479DCkf8WwxDnlkKDnUIv7A/ZYhpRR+9yeMTwBhU7:9XSvoQM9eTWwJnKKDnUw7A/ZOXR+9yeg

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 4 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c takeown /f C:\ldrscan\bootwin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2864
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\ldrscan\bootwin
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3068
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:1120
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c takeown /f C:\ldrscan\bootwin
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:832
          • C:\Windows\SysWOW64\takeown.exe
            takeown /f C:\ldrscan\bootwin
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:2876
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\Windows\SysWOW64\icacls.exe
          icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:264
      • C:\Windows\system32\cmd.exe
        cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\Windows\System32\cscript.exe
          C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
          4⤵
            PID:2340
        • C:\Windows\system32\cmd.exe
          cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\System32\cscript.exe
            C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
            4⤵
              PID:2464
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /A /C "compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:880
            • C:\Windows\SysWOW64\compact.exe
              compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA
              4⤵
              • System Location Discovery: System Language Discovery
              PID:1832
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:1356
            • C:\bootsect.exe
              C:\bootsect.exe /nt60 SYS /force
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:1084
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /A /C "shutdown -r -t 0"
            3⤵
            • System Location Discovery: System Language Discovery
            PID:2036
            • C:\Windows\SysWOW64\shutdown.exe
              shutdown -r -t 0
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:1536
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        1⤵
          PID:276
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x1
          1⤵
            PID:1584

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Acer.XRM-MS

            Filesize

            2KB

            MD5

            f25832af6a684360950dbb15589de34a

            SHA1

            17ff1d21005c1695ae3dcbdc3435017c895fff5d

            SHA256

            266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

            SHA512

            e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

          • C:\bootsect.exe

            Filesize

            95KB

            MD5

            40234e01f0e94ca61611c58890d506ba

            SHA1

            26c2aa80fd2c43b525b0b7e153f36e24bfb72977

            SHA256

            c822016f9c4bd1438d813e440e02975637abe89b71a75508fb6b92a784e5a117

            SHA512

            6e12b4fb1e78585f9fcb9bd673f30bd8e88dbfe069785f91cdc8acaeef72ab0df29918574895d98ec94cf62e9a1f9a11c42701b8180e0e28e2ffdcfe3e945190

          • \??\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA

            Filesize

            387KB

            MD5

            40887cbeb9f9dfea92b34f6976dbc75b

            SHA1

            cf448ff6b7d1b1dd9145acbf56c545406d1c6e52

            SHA256

            960b88a8ade6adf2fce1cec8406cd2b640bcc276a45da2bb406c1fc92c70e1b5

            SHA512

            56e1c4a0bba724db447db0242f8b91771af0bb0dba922141d8928e34c769fa4e243b5136c54f951372af9fb58e4d823407752c8ad9d054bf0b5bbf9044bd2566

          • \Users\Admin\AppData\Local\Temp\Windows Loader.exe

            Filesize

            3.8MB

            MD5

            3976bd5fcbb7cd13f0c12bb69afc2adc

            SHA1

            3b6bdca414a53df7c8c5096b953c4df87a1091c7

            SHA256

            bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

            SHA512

            0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

          • memory/1384-31-0x0000000010000000-0x0000000010021000-memory.dmp

            Filesize

            132KB

          • memory/1384-80-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

          • memory/1384-63-0x00000000003D0000-0x00000000003F0000-memory.dmp

            Filesize

            128KB

          • memory/1384-55-0x00000000003C0000-0x00000000003D0000-memory.dmp

            Filesize

            64KB

          • memory/1384-47-0x00000000003B0000-0x00000000003C0000-memory.dmp

            Filesize

            64KB

          • memory/1384-39-0x0000000000390000-0x00000000003A1000-memory.dmp

            Filesize

            68KB

          • memory/1384-95-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

          • memory/1384-23-0x00000000002F0000-0x0000000000302000-memory.dmp

            Filesize

            72KB

          • memory/1384-18-0x00000000002E0000-0x00000000002F0000-memory.dmp

            Filesize

            64KB

          • memory/1384-8-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

          • memory/1384-71-0x00000000024E0000-0x000000000267A000-memory.dmp

            Filesize

            1.6MB

          • memory/1384-77-0x0000000000400000-0x0000000000623000-memory.dmp

            Filesize

            2.1MB

          • memory/1384-10-0x0000000000280000-0x0000000000293000-memory.dmp

            Filesize

            76KB

          • memory/2692-74-0x0000000003990000-0x0000000003BB3000-memory.dmp

            Filesize

            2.1MB

          • memory/2692-73-0x0000000000400000-0x000000000082D000-memory.dmp

            Filesize

            4.2MB

          • memory/2692-6-0x0000000003990000-0x0000000003BB3000-memory.dmp

            Filesize

            2.1MB

          • memory/2692-0-0x0000000000400000-0x000000000082D000-memory.dmp

            Filesize

            4.2MB