Analysis
-
max time kernel
141s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 05:24
Static task
static1
Behavioral task
behavioral1
Sample
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/PHILka.RU.html
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/PHILka.RU.html
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/Windows_Loader_2.2.exe
Resource
win7-20240903-en
General
-
Target
Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/Windows_Loader_2.2.exe
-
Size
2.1MB
-
MD5
31f120258fffd9b600da0110a286a71d
-
SHA1
946355ed4fa48d392a572d0eecb380125531f290
-
SHA256
1527c10324e252a939e1f6ef4d62b532f4adb486e6a88cc1e8a36a3274b98c0f
-
SHA512
ec164d3df1e80da59ef549941b0998bc555d312cfd23d4c080cf280bb3103eff0fb7b55c3de4cc660627beb1b9ffeb3877ce08d9eed0a5ca4c2ed43550098be3
-
SSDEEP
49152:9QMSvjMQ479DCkf8WwxDnlkKDnUIv7A/ZYhpRR+9yeMTwBhU7:9XSvoQM9eTWwJnKKDnUw7A/ZOXR+9yeg
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Windows Loader.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Windows Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Windows Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Windows_Loader_2.2.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation Windows_Loader_2.2.exe -
Executes dropped EXE 1 IoCs
Processes:
Windows Loader.exepid Process 216 Windows Loader.exe -
Processes:
resource yara_rule behavioral4/files/0x00070000000235e8-5.dat upx behavioral4/memory/216-12-0x0000000000400000-0x0000000000623000-memory.dmp upx behavioral4/memory/216-77-0x0000000000400000-0x0000000000623000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Windows_Loader_2.2.exeWindows Loader.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows_Loader_2.2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Loader.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
Windows Loader.exedescription ioc Process Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Windows Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct Windows Loader.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Windows Loader.exepid Process 216 Windows Loader.exe 216 Windows Loader.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Windows Loader.exedescription pid Process Token: 33 216 Windows Loader.exe Token: SeIncBasePriorityPrivilege 216 Windows Loader.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Windows Loader.exepid Process 216 Windows Loader.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Windows_Loader_2.2.exedescription pid Process procid_target PID 2068 wrote to memory of 216 2068 Windows_Loader_2.2.exe 87 PID 2068 wrote to memory of 216 2068 Windows_Loader_2.2.exe 87 PID 2068 wrote to memory of 216 2068 Windows_Loader_2.2.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:81⤵PID:4160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD53976bd5fcbb7cd13f0c12bb69afc2adc
SHA13b6bdca414a53df7c8c5096b953c4df87a1091c7
SHA256bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40
SHA5120e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341