Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 05:24

General

  • Target

    Windows_Loader_2.2.1_DAZ/PHILka.RU_Windows Loader 2.2.1_by_DAZ/Windows_Loader_2.2.exe

  • Size

    2.1MB

  • MD5

    31f120258fffd9b600da0110a286a71d

  • SHA1

    946355ed4fa48d392a572d0eecb380125531f290

  • SHA256

    1527c10324e252a939e1f6ef4d62b532f4adb486e6a88cc1e8a36a3274b98c0f

  • SHA512

    ec164d3df1e80da59ef549941b0998bc555d312cfd23d4c080cf280bb3103eff0fb7b55c3de4cc660627beb1b9ffeb3877ce08d9eed0a5ca4c2ed43550098be3

  • SSDEEP

    49152:9QMSvjMQ479DCkf8WwxDnlkKDnUIv7A/ZYhpRR+9yeMTwBhU7:9XSvoQM9eTWwJnKKDnUw7A/ZOXR+9yeg

Score
7/10

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows_Loader_2.2.1_DAZ\PHILka.RU_Windows Loader 2.2.1_by_DAZ\Windows_Loader_2.2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe"
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:216
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1020 /prefetch:8
    1⤵
      PID:4160

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Windows Loader.exe

      Filesize

      3.8MB

      MD5

      3976bd5fcbb7cd13f0c12bb69afc2adc

      SHA1

      3b6bdca414a53df7c8c5096b953c4df87a1091c7

      SHA256

      bf5070ef8cf03a11d25460b3e09a479183cc0fa03d0ea32e4499998f509b1a40

      SHA512

      0e34171ea0118f4487bc78954b9a388eac9ee203323e86746616c746a1543b8c4190397fc578d8fc5dd1e151862172fd1c444a42d4b59c18551959c2a19cf341

    • memory/216-21-0x0000000000B30000-0x0000000000B40000-memory.dmp

      Filesize

      64KB

    • memory/216-12-0x0000000000400000-0x0000000000623000-memory.dmp

      Filesize

      2.1MB

    • memory/216-27-0x0000000002530000-0x00000000026CA000-memory.dmp

      Filesize

      1.6MB

    • memory/216-26-0x0000000002A90000-0x0000000002AA2000-memory.dmp

      Filesize

      72KB

    • memory/216-35-0x0000000010000000-0x0000000010021000-memory.dmp

      Filesize

      132KB

    • memory/216-13-0x0000000002A70000-0x0000000002A83000-memory.dmp

      Filesize

      76KB

    • memory/216-43-0x0000000002DF0000-0x0000000002E01000-memory.dmp

      Filesize

      68KB

    • memory/216-67-0x0000000002E30000-0x0000000002E50000-memory.dmp

      Filesize

      128KB

    • memory/216-59-0x0000000002E20000-0x0000000002E30000-memory.dmp

      Filesize

      64KB

    • memory/216-51-0x0000000002E10000-0x0000000002E20000-memory.dmp

      Filesize

      64KB

    • memory/216-77-0x0000000000400000-0x0000000000623000-memory.dmp

      Filesize

      2.1MB

    • memory/2068-0-0x0000000000400000-0x000000000082D000-memory.dmp

      Filesize

      4.2MB

    • memory/2068-75-0x0000000000400000-0x000000000082D000-memory.dmp

      Filesize

      4.2MB