e75ae07c7b4a7e5e5eaaa0121bc9a46cd81297694b54ccf963c655b10ecf9c0b

Analysis

max time kernel
144s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

16.3MB
MD5

d9729d3757c9edd6d37491d1add7bda8
SHA1

a61840c5ef149490b026faf2482fc6bd67c84f5d
SHA256

e75ae07c7b4a7e5e5eaaa0121bc9a46cd81297694b54ccf963c655b10ecf9c0b
SHA512

04f3878927d51ad56e82ec3d3a93554388ac176c7d2cc373f78e06559be8684c7dabcad2a6e4e3a6d378cc9f735bf9dcef6520580114cee838f5714bc3218d60
SSDEEP

393216:gOv5dqEU9B/ZTQLy2n912K8O7myy4QUd9laJ3r:gedszmb4K7myygXlaJ7

Score

9^/10

evasion execution persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Loader.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\winhb.sys	Loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Loader.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Loader.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869}	Loader.exe
File opened for modification	C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879}	Loader.exe
File opened for modification	C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899}	Loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2036	Loader.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859}	Loader.exe
File opened for modification	C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE}	Loader.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3600	sc.exe
3400	sc.exe
3868	sc.exe
704	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe
2036	Loader.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 4560	2036	Loader.exe	89
PID 2036 wrote to memory of 4560	2036	Loader.exe	89
PID 4560 wrote to memory of 3600	4560	cmd.exe	91
PID 4560 wrote to memory of 3600	4560	cmd.exe	91
PID 2036 wrote to memory of 3524	2036	Loader.exe	92
PID 2036 wrote to memory of 3524	2036	Loader.exe	92
PID 2036 wrote to memory of 5068	2036	Loader.exe	94
PID 2036 wrote to memory of 5068	2036	Loader.exe	94
PID 2036 wrote to memory of 2228	2036	Loader.exe	96
PID 2036 wrote to memory of 2228	2036	Loader.exe	96
PID 3524 wrote to memory of 3400	3524	cmd.exe	97
PID 3524 wrote to memory of 3400	3524	cmd.exe	97
PID 2228 wrote to memory of 1016	2228	cmd.exe	98
PID 2228 wrote to memory of 1016	2228	cmd.exe	98
PID 2228 wrote to memory of 2676	2228	cmd.exe	99
PID 2228 wrote to memory of 2676	2228	cmd.exe	99
PID 2228 wrote to memory of 3464	2228	cmd.exe	100
PID 2228 wrote to memory of 3464	2228	cmd.exe	100
PID 5068 wrote to memory of 3868	5068	cmd.exe	101
PID 5068 wrote to memory of 3868	5068	cmd.exe	101
PID 2036 wrote to memory of 4176	2036	Loader.exe	104
PID 2036 wrote to memory of 4176	2036	Loader.exe	104
PID 4176 wrote to memory of 704	4176	cmd.exe	106
PID 4176 wrote to memory of 704	4176	cmd.exe	106
PID 2036 wrote to memory of 2560	2036	Loader.exe	110
PID 2036 wrote to memory of 2560	2036	Loader.exe	110

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:3600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\system32\sc.exe
    sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys
    3⤵
    - Launches sc.exe
    PID:3400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:3868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5
    3⤵
    PID:1016
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2676
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:3464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C sc start windowsproc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\system32\sc.exe
    sc start windowsproc
    3⤵
    - Launches sc.exe
    PID:704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\BackupSubmit.vsd

Filesize
304KB

MD5
e8a229abedb43547c436a23a5e5907da

SHA1
583b8ce9ab9b5aec8375fc89f6bd126084fba1fb

SHA256
eed627ad47d3b07d49e6bee2b7215221cdd7dc392d307ab6538ff90ad131429e

SHA512
17e8df658639755e866c0d85bf491030f93aba3c53b28922abf7de150375d4837eaf0b8d8d8ffa528352a024ad5a57f69d40d08a09a4fa52e21208b49e84c6de

Download Submit
C:\Users\Admin\Desktop\BlockDeny.asx

Filesize
227KB

MD5
68b3a96d7e82314a1cc6ca9c1a6fa6db

SHA1
80ee8f522d5bb46c0d56d86845b57b028d32fb83

SHA256
1900674b82accc009781d7aa190802a15e39b16f95421fb6a07937f7e018350b

SHA512
e80db4b36224349baa531cd364161a39c4898f2494c7eaa8ce621ecb9fc2c0b41c2077d3ae5b20fcd95d917845559a2c6a8f0b2a96e8fbf40af1d2466e1d7921

Download Submit
C:\Users\Admin\Desktop\ClearUnprotect.mht

Filesize
120KB

MD5
3c8930cbad9075434eab6b99d73d9888

SHA1
de6e53023c8eef7fda2ab7e924b4cb65bbc44366

SHA256
41a1edd1e4cc5c1c7f08687315384d743e2e9e065d6eabe2a6ca2d572ee5a19d

SHA512
dfe07265449946c445107a0c35db7d01e108d484bea8c4daa73a0a20e268036ceb18b1ed6b4fd8b3ba0fe9583271a6d996a25652f43da7c5f0932d5ab6d926c9

Download Submit
C:\Users\Admin\Desktop\GetDisable.mp2v

Filesize
285KB

MD5
5c8119375d65ee7f75c584f14ffc5897

SHA1
6d80d5b8c175f0c21af752558a2b902631200da8

SHA256
7a5ab9f6f590bb949b1b5b0740c0c149a7fa33d60261ea3ba6f3d4c283166d56

SHA512
581f30fe4e269e5b4ff4e5365fde6f366b991cc3140a8d5d951f8347af7ad4fd854db8c93467fb2fabd4c1d5ff2e39d2d2de2b1e3ea87c70fa17042e7bcb65ee

Download Submit
C:\Users\Admin\Desktop\JoinAssert.midi

Filesize
208KB

MD5
91a72332f45ce89ae1e7f918392ee4ea

SHA1
97feab57ac85598a464f8a7fe9cc9ec59ad5724b

SHA256
a63306c066103f56da60b1f7e6e2bfa4ed1e951ee6e47ef0b5d1fab6d963570c

SHA512
bbfa31faa0aacc791a6933b85a5aa6643fd5b4bd35b255b702b9146178c2ae8a1cbafd7569639c8755ba77291bcb8b164088ad3c55f3406c78a52eefd20afeb1

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
dd38f59dfa4266b016e82f52d0c6593e

SHA1
8ec12c95cbebc4cb032f093911772a38815af7f2

SHA256
e091aae1c3feb98a135f914e5a5aa5bc58122c41ac039a41c6647af58dda90e3

SHA512
3b13b58bc5280e826b8f0083e751219255b04a9c127b7c2f7b35b592636c45bfbb06010a3c7d01e8593cff08b6aa5a6141c3c0fc307ebfe91b5037f01e908765

Download Submit
C:\Users\Admin\Desktop\MoveRevoke.docx

Filesize
435KB

MD5
e4aaf704c0639a824009e21085dfa213

SHA1
2e6be2e742c0a561d9f470f5f8fa43a3313aa959

SHA256
b48c5f8b291bae76c2e88bbb26b275fa8485e213282b974fd4ff7560a4a65895

SHA512
60b53b79e17acf0976e240b55cc3d29f7cb1960c39ee6e52d8f809f495f95c90f1369e2df40d6faefdce2c4317456427f559c8705fae4dc74f3362e4b4c94249

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
fb403f4c0a2f136a17f88d5b5c1e9b19

SHA1
91f288b1c4a287c69d0ab749587b2ee8331cf61c

SHA256
25dcb57716c31be9aa6520a99233cca5d931ad46837eddf427ada6a98f799e03

SHA512
ff5143a469252458c8a9a0d015b7198e5f11eba6639e69b8f7a3fc2cd924f6bb4f4238b37ceec246e8173fa8769b137c2dac381846db124a3419e0ed1ef5b96d

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
c77306ee504f281e6069d721ebceb3e9

SHA1
ac733bd8a2f9f9c31e13a29f013de69caad07200

SHA256
9e67a1b951a1b11c4ae62dd958227f4d071177794e1d6ca6d86bfd33a2d24daa

SHA512
d93951a645967a1afc41a53d577562c3d3642edf91a3d0bb363b29dacbd82cfd854aaccd5c75ef41245865afa7e2ac22df222b627af22b3dfb3772acf11daf70

Download Submit
memory/2036-0-0x0000000140000000-0x00000001424C1000-memory.dmp

Filesize
36.8MB

Download
memory/2036-14-0x0000000140000000-0x00000001424C1000-memory.dmp

Filesize
36.8MB

Download
memory/2036-4-0x0000000140000000-0x00000001424C1000-memory.dmp

Filesize
36.8MB

Download
memory/2036-3-0x0000000140000000-0x00000001424C1000-memory.dmp

Filesize
36.8MB

Download
memory/2036-2-0x0000000140000000-0x00000001424C1000-memory.dmp

Filesize
36.8MB

Download
memory/2036-1-0x00007FFD75070000-0x00007FFD75072000-memory.dmp

Filesize
8KB

Download