Analysis
-
max time kernel
1560s -
max time network
1562s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10/11/2024, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20241007-en
General
-
Target
Loader.exe
-
Size
17.9MB
-
MD5
bea22ae5c744cc6615f2f19382f5300f
-
SHA1
26170df7ce128fcf4fc4abd7d254444183183a93
-
SHA256
b58117445d7d23312d99f0664912fbd039c15d78b96d8f5453ee47f1c6983cc8
-
SHA512
21254481e35802c99155b12067ffa429c76e12929028c194817f92d6181ba935973a3915bb8279bbece46c794fd3df9b0a6338c848f4a46a1c09d9697adff8fb
-
SSDEEP
393216:kJR1IgHFmTxJNv1E/XTygiF6RAYuiq4a8Vq6Df5D2b:UzIYIx1CiF6iCa8Vm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2368 Loader.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 264 sc.exe 2112 sc.exe 1744 sc.exe 2624 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe 2368 Loader.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2388 2368 Loader.exe 31 PID 2368 wrote to memory of 2388 2368 Loader.exe 31 PID 2368 wrote to memory of 2388 2368 Loader.exe 31 PID 2368 wrote to memory of 2392 2368 Loader.exe 32 PID 2368 wrote to memory of 2392 2368 Loader.exe 32 PID 2368 wrote to memory of 2392 2368 Loader.exe 32 PID 2368 wrote to memory of 3040 2368 Loader.exe 33 PID 2368 wrote to memory of 3040 2368 Loader.exe 33 PID 2368 wrote to memory of 3040 2368 Loader.exe 33 PID 2368 wrote to memory of 1544 2368 Loader.exe 36 PID 2368 wrote to memory of 1544 2368 Loader.exe 36 PID 2368 wrote to memory of 1544 2368 Loader.exe 36 PID 1544 wrote to memory of 2168 1544 cmd.exe 38 PID 1544 wrote to memory of 2168 1544 cmd.exe 38 PID 1544 wrote to memory of 2168 1544 cmd.exe 38 PID 2392 wrote to memory of 1744 2392 cmd.exe 39 PID 2392 wrote to memory of 1744 2392 cmd.exe 39 PID 2392 wrote to memory of 1744 2392 cmd.exe 39 PID 2388 wrote to memory of 2112 2388 cmd.exe 40 PID 2388 wrote to memory of 2112 2388 cmd.exe 40 PID 2388 wrote to memory of 2112 2388 cmd.exe 40 PID 3040 wrote to memory of 264 3040 cmd.exe 41 PID 3040 wrote to memory of 264 3040 cmd.exe 41 PID 3040 wrote to memory of 264 3040 cmd.exe 41 PID 1544 wrote to memory of 2712 1544 cmd.exe 42 PID 1544 wrote to memory of 2712 1544 cmd.exe 42 PID 1544 wrote to memory of 2712 1544 cmd.exe 42 PID 1544 wrote to memory of 580 1544 cmd.exe 43 PID 1544 wrote to memory of 580 1544 cmd.exe 43 PID 1544 wrote to memory of 580 1544 cmd.exe 43 PID 2368 wrote to memory of 2776 2368 Loader.exe 45 PID 2368 wrote to memory of 2776 2368 Loader.exe 45 PID 2368 wrote to memory of 2776 2368 Loader.exe 45 PID 2776 wrote to memory of 2624 2776 cmd.exe 47 PID 2776 wrote to memory of 2624 2776 cmd.exe 47 PID 2776 wrote to memory of 2624 2776 cmd.exe 47 PID 2368 wrote to memory of 2896 2368 Loader.exe 48 PID 2368 wrote to memory of 2896 2368 Loader.exe 48 PID 2368 wrote to memory of 2896 2368 Loader.exe 48
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:2112
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:1744
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵PID:2168
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2712
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:580
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2896
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2612