Overview

overview

10

Static

static

10

Loader 3.0.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    202s
  • max time network
    203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-10-2024 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader 3.0.exe

  • Size

    147KB

  • MD5

    ff4cd364323fc2048c35783a38070aef

  • SHA1

    4736172dd07a3a196343b94dd56b4e4edc0f2bce

  • SHA256

    6dd7522accb6773bade16720b53ca577574defae5b1c7caf4b7fc6826dfed7e7

  • SHA512

    c72b07b78ccbcfad14fa9f7bc3e8a086c29969b4f7f30dbe57a1a173cd82d61a20bf5ead0bc7b627d5d7f7f0def71710e2ce09590be7a886ad6c9414981eb961

  • SSDEEP

    1536:FzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDEtDyI4njdbJBGCkmsQwvB6jr4j:GqJogYkcSNm9V7Dk4F91qYUrnbT

Score
9/10
defense_evasiondiscoveryransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (505) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 4 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader 3.0.exe"
    1⤵
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
      • Drops file in System32 directory
      PID:4336
    • C:\ProgramData\D310.tmp
      "C:\ProgramData\D310.tmp"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\D310.tmp >> NUL
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4612
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
    1⤵
      PID:4276
    • C:\Windows\system32\printfilterpipelinesvc.exe
      C:\Windows\system32\printfilterpipelinesvc.exe -Embedding
      1⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2380
      • C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE
        /insertdoc "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\{7833BFC7-9531-480F-AC3B-0247D932F7BF}.xps" 133746511461150000
        2⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:3100
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Jw5Jgl9mC.README.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:3016
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /0
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1532
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3496

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\$Recycle.Bin\S-1-5-21-1537126222-899333903-2037027349-1000\XXXXXXXXXXX
        Filesize

        129B

        MD5

        c9816bb16509109574e4730b1d63386e

        SHA1

        a571ef6e8fcb901131d1fef8651e943cee416b5d

        SHA256

        ba5ebbea90e17b8fb0bac48b074e44b19202234d94eed129b02e30d5ccf051a5

        SHA512

        80200e9007c3560cd4b122881bd6ba28b678be82e82f8f11083672b7b7808621800fb939589eb8d5d1fd934dd2c59b85ed8f593d9f0afe4f2ba7953938f2320b

        Download Submit

      • C:\Jw5Jgl9mC.README.txt
        Filesize

        1KB

        MD5

        8b28296a2c168d86adbafc888d0f95f0

        SHA1

        49d6b109bf24f39c2c0f62c0796b8693c0bd99e5

        SHA256

        7b3daacf846fe79840647e67d9c5226a7fda47d5b32c24d874654e8ff78ffcc9

        SHA512

        b0f0e0a6f2962250c3b9f87637854756e7a0fcde561aae14654d0dcd1e1013876442c0354e41c5bc8e3ef57f170ac2073874ff22fdc5656f62f930350f9df6ac

        Download Submit

      • C:\ProgramData\D310.tmp
        Filesize

        14KB

        MD5

        294e9f64cb1642dd89229fff0592856b

        SHA1

        97b148c27f3da29ba7b18d6aee8a0db9102f47c9

        SHA256

        917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

        SHA512

        b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CCCCCCCCCCCCCC
        Filesize

        147KB

        MD5

        44e415d8c049ef244d449cc3858d5033

        SHA1

        c42030ac5f755d49d7d3f3addc917a771581dcb6

        SHA256

        5d146b16861aeebb9ec16a54e89ed31ba30c833b2646132084158b78a3720018

        SHA512

        6acc5cad75af9d1c95ae50f636749e7a75f1f212333f5bacade7ab18ec0991e6f55fb303fe829d80ae5e502e7c479c6c61803f6600e92f57f4e3049c4c927868

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{AB2C34DE-B496-4D6C-A220-D13B44C739C7}
        Filesize

        4KB

        MD5

        eb0dab0c49576c1774c26846b7466752

        SHA1

        1db5e6012bfd0f0aa73e1ddd59cc03e984a612b8

        SHA256

        31b740d079f67341fffca379908089f356aba754755e29b7a8da52552a518fe1

        SHA512

        dda198779946a669a4ee165358a78b2ba3d81232274ef7ab430ad3a385673a0894c1554d7250538cb01a16829d97eea6f2708f1a6927054b5ec730e0818eacaf

        Download Submit

      • C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\Open Notebook.onetoc2
        Filesize

        4KB

        MD5

        0e7fb426791464dedcd53ffd5eb49816

        SHA1

        6181c9f3b01b93ae679a66284cf6ef87123d5baa

        SHA256

        f5831215a95b405a9f12a4e63b3980006ffe8a00d36053d0c8ed3415a606d0a2

        SHA512

        1a2cc191714500b244f6e7e4cf9024f055a75dee25e6aaf0622428d9555c5ac5b487892b5a9377714eb960b7c48308fe5307c1f523ab3f32054109a4808b5d95

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-1537126222-899333903-2037027349-1000\DDDDDDDDDDD
        Filesize

        129B

        MD5

        0165cd97e7c124a4486fd787fe84138a

        SHA1

        20c2cb6e8b5b7411429c489401faa2538c01b92b

        SHA256

        246debdc4ab3ec2cad8a287e8a0524a089447728dea0d49b5d6be44eea9b8353

        SHA512

        1ae71de2128c3c01832fd870b829bdda59cc22948781efe3687eeed25e022c675a1717dc0e9655465bbf3a99feb06864448e7f973a4ead4242ad7947a19b1972

        Download Submit

      • memory/1532-2815-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2817-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2812-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2813-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2806-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2816-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2807-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2805-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2814-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1532-2811-0x000002B793C60000-0x000002B793C61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1648-2714-0x0000000002C10000-0x0000000002C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1648-0-0x0000000002C10000-0x0000000002C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1648-1-0x0000000002C10000-0x0000000002C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1648-2-0x0000000002C10000-0x0000000002C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1648-2716-0x0000000002C10000-0x0000000002C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1648-2715-0x0000000002C10000-0x0000000002C20000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2803-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2732-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2735-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2734-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2731-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2729-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2802-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2766-0x00007FF9C9330000-0x00007FF9C9340000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2801-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2800-0x00007FF9CBAB0000-0x00007FF9CBAC0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3100-2765-0x00007FF9C9330000-0x00007FF9C9340000-memory.dmp

        Filesize

        64KB

        Download