Analysis
-
max time kernel
35s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/PHILka.RU.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/PHILka.RU.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/Windows_Loader_2.2.exe
Resource
win7-20240903-en
Errors
General
-
Target
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/Windows_Loader_2.2.exe
-
Size
2.1MB
-
MD5
31f120258fffd9b600da0110a286a71d
-
SHA1
946355ed4fa48d392a572d0eecb380125531f290
-
SHA256
1527c10324e252a939e1f6ef4d62b532f4adb486e6a88cc1e8a36a3274b98c0f
-
SHA512
ec164d3df1e80da59ef549941b0998bc555d312cfd23d4c080cf280bb3103eff0fb7b55c3de4cc660627beb1b9ffeb3877ce08d9eed0a5ca4c2ed43550098be3
-
SSDEEP
49152:9QMSvjMQ479DCkf8WwxDnlkKDnUIv7A/ZYhpRR+9yeMTwBhU7:9XSvoQM9eTWwJnKKDnUw7A/ZOXR+9yeg
Malware Config
Signatures
-
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2880 takeown.exe 1120 icacls.exe 2876 takeown.exe 264 icacls.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows Loader.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Windows Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows Loader.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Loader.exebootsect.exepid Process 1384 Windows Loader.exe 1084 bootsect.exe -
Loads dropped DLL 1 IoCs
Processes:
Windows_Loader_2.2.exepid Process 2692 Windows_Loader_2.2.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid Process 2880 takeown.exe 1120 icacls.exe 2876 takeown.exe 264 icacls.exe -
Processes:
resource yara_rule behavioral3/files/0x0005000000018705-3.dat upx behavioral3/memory/1384-8-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral3/memory/1384-77-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral3/memory/1384-80-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral3/memory/1384-95-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execmd.execmd.exeicacls.exetakeown.execmd.execmd.exebootsect.exeWindows_Loader_2.2.exeWindows Loader.execmd.execmd.execmd.exetakeown.exeicacls.execompact.exeshutdown.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bootsect.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows_Loader_2.2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Loader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language takeown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compact.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Windows Loader.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Windows Loader.exe Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Windows Loader.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Loader.exepid Process 1384 Windows Loader.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
Windows Loader.exetakeown.exetakeown.exeshutdown.exedescription pid Process Token: 33 1384 Windows Loader.exe Token: SeIncBasePriorityPrivilege 1384 Windows Loader.exe Token: 33 1384 Windows Loader.exe Token: SeIncBasePriorityPrivilege 1384 Windows Loader.exe Token: SeTakeOwnershipPrivilege 2880 takeown.exe Token: SeTakeOwnershipPrivilege 2876 takeown.exe Token: SeShutdownPrivilege 1536 shutdown.exe Token: SeRemoteShutdownPrivilege 1536 shutdown.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Windows Loader.exepid Process 1384 Windows Loader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Windows_Loader_2.2.exeWindows Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2692 wrote to memory of 1384 2692 Windows_Loader_2.2.exe 30 PID 2692 wrote to memory of 1384 2692 Windows_Loader_2.2.exe 30 PID 2692 wrote to memory of 1384 2692 Windows_Loader_2.2.exe 30 PID 2692 wrote to memory of 1384 2692 Windows_Loader_2.2.exe 30 PID 1384 wrote to memory of 2996 1384 Windows Loader.exe 34 PID 1384 wrote to memory of 2996 1384 Windows Loader.exe 34 PID 1384 wrote to memory of 2996 1384 Windows Loader.exe 34 PID 1384 wrote to memory of 2996 1384 Windows Loader.exe 34 PID 2996 wrote to memory of 2864 2996 cmd.exe 36 PID 2996 wrote to memory of 2864 2996 cmd.exe 36 PID 2996 wrote to memory of 2864 2996 cmd.exe 36 PID 2996 wrote to memory of 2864 2996 cmd.exe 36 PID 2864 wrote to memory of 2880 2864 cmd.exe 37 PID 2864 wrote to memory of 2880 2864 cmd.exe 37 PID 2864 wrote to memory of 2880 2864 cmd.exe 37 PID 2864 wrote to memory of 2880 2864 cmd.exe 37 PID 1384 wrote to memory of 3068 1384 Windows Loader.exe 38 PID 1384 wrote to memory of 3068 1384 Windows Loader.exe 38 PID 1384 wrote to memory of 3068 1384 Windows Loader.exe 38 PID 1384 wrote to memory of 3068 1384 Windows Loader.exe 38 PID 3068 wrote to memory of 1120 3068 cmd.exe 40 PID 3068 wrote to memory of 1120 3068 cmd.exe 40 PID 3068 wrote to memory of 1120 3068 cmd.exe 40 PID 3068 wrote to memory of 1120 3068 cmd.exe 40 PID 1384 wrote to memory of 2380 1384 Windows Loader.exe 41 PID 1384 wrote to memory of 2380 1384 Windows Loader.exe 41 PID 1384 wrote to memory of 2380 1384 Windows Loader.exe 41 PID 1384 wrote to memory of 2380 1384 Windows Loader.exe 41 PID 2380 wrote to memory of 832 2380 cmd.exe 43 PID 2380 wrote to memory of 832 2380 cmd.exe 43 PID 2380 wrote to memory of 832 2380 cmd.exe 43 PID 2380 wrote to memory of 832 2380 cmd.exe 43 PID 832 wrote to memory of 2876 832 cmd.exe 44 PID 832 wrote to memory of 2876 832 cmd.exe 44 PID 832 wrote to memory of 2876 832 cmd.exe 44 PID 832 wrote to memory of 2876 832 cmd.exe 44 PID 1384 wrote to memory of 2120 1384 Windows Loader.exe 45 PID 1384 wrote to memory of 2120 1384 Windows Loader.exe 45 PID 1384 wrote to memory of 2120 1384 Windows Loader.exe 45 PID 1384 wrote to memory of 2120 1384 Windows Loader.exe 45 PID 2120 wrote to memory of 264 2120 cmd.exe 47 PID 2120 wrote to memory of 264 2120 cmd.exe 47 PID 2120 wrote to memory of 264 2120 cmd.exe 47 PID 2120 wrote to memory of 264 2120 cmd.exe 47 PID 1384 wrote to memory of 2008 1384 Windows Loader.exe 48 PID 1384 wrote to memory of 2008 1384 Windows Loader.exe 48 PID 1384 wrote to memory of 2008 1384 Windows Loader.exe 48 PID 1384 wrote to memory of 2008 1384 Windows Loader.exe 48 PID 2008 wrote to memory of 2340 2008 cmd.exe 50 PID 2008 wrote to memory of 2340 2008 cmd.exe 50 PID 2008 wrote to memory of 2340 2008 cmd.exe 50 PID 1384 wrote to memory of 2328 1384 Windows Loader.exe 51 PID 1384 wrote to memory of 2328 1384 Windows Loader.exe 51 PID 1384 wrote to memory of 2328 1384 Windows Loader.exe 51 PID 1384 wrote to memory of 2328 1384 Windows Loader.exe 51 PID 2328 wrote to memory of 2464 2328 cmd.exe 53 PID 2328 wrote to memory of 2464 2328 cmd.exe 53 PID 2328 wrote to memory of 2464 2328 cmd.exe 53 PID 1384 wrote to memory of 880 1384 Windows Loader.exe 55 PID 1384 wrote to memory of 880 1384 Windows Loader.exe 55 PID 1384 wrote to memory of 880 1384 Windows Loader.exe 55 PID 1384 wrote to memory of 880 1384 Windows Loader.exe 55 PID 880 wrote to memory of 1832 880 cmd.exe 57 PID 880 wrote to memory of 1832 880 cmd.exe 57
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1120
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\cmd.execmd.exe /c takeown /f C:\ldrscan\bootwin4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\ldrscan\bootwin5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\icacls.exeicacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:264
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""3⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"4⤵PID:2340
-
-
-
C:\Windows\system32\cmd.execmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"3⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\cscript.exeC:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR24⤵PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "compact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\compact.execompact /u \\?\Volume{fc914843-69ed-11ef-8ad4-806e6f6e6963}\VHUXA4⤵
- System Location Discovery: System Language Discovery
PID:1832
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"3⤵
- System Location Discovery: System Language Discovery
PID:1356 -
C:\bootsect.exeC:\bootsect.exe /nt60 SYS /force4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /A /C "shutdown -r -t 0"3⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 04⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:276
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f25832af6a684360950dbb15589de34a
SHA117ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f
-
Filesize
95KB
MD540234e01f0e94ca61611c58890d506ba
SHA126c2aa80fd2c43b525b0b7e153f36e24bfb72977
SHA256c822016f9c4bd1438d813e440e02975637abe89b71a75508fb6b92a784e5a117
SHA5126e12b4fb1e78585f9fcb9bd673f30bd8e88dbfe069785f91cdc8acaeef72ab0df29918574895d98ec94cf62e9a1f9a11c42701b8180e0e28e2ffdcfe3e945190
-
Filesize
387KB
MD540887cbeb9f9dfea92b34f6976dbc75b
SHA1cf448ff6b7d1b1dd9145acbf56c545406d1c6e52
SHA256960b88a8ade6adf2fce1cec8406cd2b640bcc276a45da2bb406c1fc92c70e1b5
SHA51256e1c4a0bba724db447db0242f8b91771af0bb0dba922141d8928e34c769fa4e243b5136c54f951372af9fb58e4d823407752c8ad9d054bf0b5bbf9044bd2566
-
Filesize
3.8MB
MD53976bd5fcbb7cd13f0c12bb69afc2adc
SHA13b6bdca414a53df7c8c5096b953c4df87a1091c7
SHA256bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40
SHA5120e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341