Analysis
-
max time kernel
1150s -
max time network
1161s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 21:07
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20241007-en
General
-
Target
Loader.exe
-
Size
17.9MB
-
MD5
bea22ae5c744cc6615f2f19382f5300f
-
SHA1
26170df7ce128fcf4fc4abd7d254444183183a93
-
SHA256
b58117445d7d23312d99f0664912fbd039c15d78b96d8f5453ee47f1c6983cc8
-
SHA512
21254481e35802c99155b12067ffa429c76e12929028c194817f92d6181ba935973a3915bb8279bbece46c794fd3df9b0a6338c848f4a46a1c09d9697adff8fb
-
SSDEEP
393216:kJR1IgHFmTxJNv1E/XTygiF6RAYuiq4a8Vq6Df5D2b:UzIYIx1CiF6iCa8Vm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation Loader.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3712 Loader.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1588 sc.exe 1916 sc.exe 2148 sc.exe 2164 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe 3712 Loader.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 3712 wrote to memory of 4524 3712 Loader.exe 89 PID 3712 wrote to memory of 4524 3712 Loader.exe 89 PID 4524 wrote to memory of 1588 4524 cmd.exe 91 PID 4524 wrote to memory of 1588 4524 cmd.exe 91 PID 3712 wrote to memory of 5072 3712 Loader.exe 94 PID 3712 wrote to memory of 5072 3712 Loader.exe 94 PID 5072 wrote to memory of 1916 5072 cmd.exe 97 PID 5072 wrote to memory of 1916 5072 cmd.exe 97 PID 3712 wrote to memory of 1344 3712 Loader.exe 98 PID 3712 wrote to memory of 1344 3712 Loader.exe 98 PID 3712 wrote to memory of 1124 3712 Loader.exe 100 PID 3712 wrote to memory of 1124 3712 Loader.exe 100 PID 3712 wrote to memory of 2268 3712 Loader.exe 102 PID 3712 wrote to memory of 2268 3712 Loader.exe 102 PID 2268 wrote to memory of 4588 2268 cmd.exe 103 PID 2268 wrote to memory of 4588 2268 cmd.exe 103 PID 2268 wrote to memory of 912 2268 cmd.exe 104 PID 2268 wrote to memory of 912 2268 cmd.exe 104 PID 2268 wrote to memory of 3152 2268 cmd.exe 105 PID 2268 wrote to memory of 3152 2268 cmd.exe 105 PID 1344 wrote to memory of 2148 1344 cmd.exe 106 PID 1344 wrote to memory of 2148 1344 cmd.exe 106 PID 1124 wrote to memory of 2164 1124 cmd.exe 107 PID 1124 wrote to memory of 2164 1124 cmd.exe 107 PID 3712 wrote to memory of 2292 3712 Loader.exe 109 PID 3712 wrote to memory of 2292 3712 Loader.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:1588
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:1916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:2148
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:2164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵PID:4588
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:912
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:3152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2292
-