Analysis
-
max time kernel
445s -
max time network
1166s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/11/2024, 21:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win11-20241007-en
13 signatures
1800 seconds
General
-
Target
Loader.exe
-
Size
17.9MB
-
MD5
bea22ae5c744cc6615f2f19382f5300f
-
SHA1
26170df7ce128fcf4fc4abd7d254444183183a93
-
SHA256
b58117445d7d23312d99f0664912fbd039c15d78b96d8f5453ee47f1c6983cc8
-
SHA512
21254481e35802c99155b12067ffa429c76e12929028c194817f92d6181ba935973a3915bb8279bbece46c794fd3df9b0a6338c848f4a46a1c09d9697adff8fb
-
SSDEEP
393216:kJR1IgHFmTxJNv1E/XTygiF6RAYuiq4a8Vq6Df5D2b:UzIYIx1CiF6iCa8Vm
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Loader.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\winhb.sys Loader.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Loader.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Loader.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2869} Loader.exe File opened for modification C:\Windows\System32\IME\IMETC\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2899} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} Loader.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2879} Loader.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5004 Loader.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2893} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2892} Loader.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-1B70783F2859} Loader.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4240 sc.exe 3672 sc.exe 4312 sc.exe 2624 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe 5004 Loader.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 5004 wrote to memory of 2092 5004 Loader.exe 78 PID 5004 wrote to memory of 2092 5004 Loader.exe 78 PID 2092 wrote to memory of 4240 2092 cmd.exe 80 PID 2092 wrote to memory of 4240 2092 cmd.exe 80 PID 5004 wrote to memory of 3912 5004 Loader.exe 81 PID 5004 wrote to memory of 3912 5004 Loader.exe 81 PID 3912 wrote to memory of 3672 3912 cmd.exe 83 PID 3912 wrote to memory of 3672 3912 cmd.exe 83 PID 5004 wrote to memory of 4216 5004 Loader.exe 84 PID 5004 wrote to memory of 4216 5004 Loader.exe 84 PID 5004 wrote to memory of 4920 5004 Loader.exe 86 PID 5004 wrote to memory of 4920 5004 Loader.exe 86 PID 5004 wrote to memory of 2312 5004 Loader.exe 88 PID 5004 wrote to memory of 2312 5004 Loader.exe 88 PID 4216 wrote to memory of 4312 4216 cmd.exe 90 PID 4216 wrote to memory of 4312 4216 cmd.exe 90 PID 2312 wrote to memory of 1076 2312 cmd.exe 89 PID 2312 wrote to memory of 1076 2312 cmd.exe 89 PID 2312 wrote to memory of 3028 2312 cmd.exe 91 PID 2312 wrote to memory of 3028 2312 cmd.exe 91 PID 2312 wrote to memory of 2604 2312 cmd.exe 92 PID 2312 wrote to memory of 2604 2312 cmd.exe 92 PID 4920 wrote to memory of 2624 4920 cmd.exe 93 PID 4920 wrote to memory of 2624 4920 cmd.exe 93 PID 5004 wrote to memory of 5048 5004 Loader.exe 94 PID 5004 wrote to memory of 5048 5004 Loader.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:4240
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:3672
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
PID:4312
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
PID:2624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader.exe" MD53⤵PID:1076
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:3028
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:2604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5048
-