9c6cb08278047b593aa508e3cb83d3b6af31b6988d78b66048a8007a95deb95d

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4740	Loader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3612	sc.exe
3684	sc.exe
748	sc.exe
2124	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe
4740	Loader.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1160	4740	Loader.exe	89
PID 4740 wrote to memory of 1160	4740	Loader.exe	89
PID 1160 wrote to memory of 3612	1160	cmd.exe	91
PID 1160 wrote to memory of 3612	1160	cmd.exe	91
PID 4740 wrote to memory of 2336	4740	Loader.exe	94
PID 4740 wrote to memory of 2336	4740	Loader.exe	94
PID 2336 wrote to memory of 3684	2336	cmd.exe	96
PID 2336 wrote to memory of 3684	2336	cmd.exe	96
PID 4740 wrote to memory of 3888	4740	Loader.exe	97
PID 4740 wrote to memory of 3888	4740	Loader.exe	97
PID 4740 wrote to memory of 2356	4740	Loader.exe	99
PID 4740 wrote to memory of 2356	4740	Loader.exe	99
PID 4740 wrote to memory of 228	4740	Loader.exe	101
PID 4740 wrote to memory of 228	4740	Loader.exe	101
PID 228 wrote to memory of 4580	228	cmd.exe	102
PID 228 wrote to memory of 4580	228	cmd.exe	102
PID 228 wrote to memory of 2396	228	cmd.exe	103
PID 228 wrote to memory of 2396	228	cmd.exe	103
PID 228 wrote to memory of 320	228	cmd.exe	104
PID 228 wrote to memory of 320	228	cmd.exe	104
PID 3888 wrote to memory of 2124	3888	cmd.exe	105
PID 3888 wrote to memory of 2124	3888	cmd.exe	105
PID 2356 wrote to memory of 748	2356	cmd.exe	106
PID 2356 wrote to memory of 748	2356	cmd.exe	106
PID 4740 wrote to memory of 3468	4740	Loader.exe	108
PID 4740 wrote to memory of 3468	4740	Loader.exe	108

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:3612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:3684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:2124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
    3⤵
    PID:4580
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2396
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

3

System Information Discovery

4

Virtualization/Sandbox Evasion