Overview

overview

9

Static

static

7

loader.exe

windows7-x64

9

loader.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    loader.exe

  • Size

    18.8MB

  • MD5

    8bba02b9071196c8b1681eb086e699b3

  • SHA1

    adc78b8c976c3e9f52f57c760b3047e3c91fb389

  • SHA256

    85a8fb1a3141fdca3588330bd8945a8775af26f0a145ed61e68bcd351915b25a

  • SHA512

    06aa6c03a256489039276ee091ef346112ad7a225b97fac803f8288f927a65fc68d7f3421c3e8bf9d82236d6805688d40a5ba5bce2ea61821867edccebbc3436

  • SSDEEP

    393216:MxsYJZy/ER2j9dkgZ3lNQdTVng6//XWIDCF/BilP+U7AY5zE3qsw5:MxDy/ZrQFVnZ3XWQCNBil2U7AY5zEu

Score
9/10
evasionpersistenceprivilege_escalationthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 45 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2908
    • C:\Windows\system32\cmd.exe
      /c ipconfig /flushdns
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • Gathers network information
        PID:988
    • C:\Windows\system32\cmd.exe
      /c netsh interface ip delete arpcache
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:544
      • C:\Windows\system32\netsh.exe
        netsh interface ip delete arpcache
        3⤵
        • Event Triggered Execution: Netsh Helper DLL
        PID:2156
    • C:\Windows\system32\cmd.exe
      /c certutil -URLCache * delete
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2976
      • C:\Windows\system32\certutil.exe
        certutil -URLCache * delete
        3⤵
          PID:2840
      • C:\Windows\system32\cmd.exe
        /c netsh int ip reset
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\Windows\system32\netsh.exe
          netsh int ip reset
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2836
      • C:\Windows\system32\cmd.exe
        /c netsh int ipv4 reset
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Windows\system32\netsh.exe
          netsh int ipv4 reset
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2816
      • C:\Windows\system32\cmd.exe
        /c netsh int ipv6 reset
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\system32\netsh.exe
          netsh int ipv6 reset
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2788
      • C:\Windows\system32\cmd.exe
        /c netsh winsock reset
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2612
        • C:\Windows\system32\netsh.exe
          netsh winsock reset
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:2648
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C timeout /T 1 /NOBREAK > Nul & taskkill /F /IM "loader.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\system32\timeout.exe
          timeout /T 1 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:1612
        • C:\Windows\system32\taskkill.exe
          taskkill /F /IM "loader.exe"
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1720
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1664

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1664-17-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1664-20-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1664-19-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/1664-18-0x0000000140000000-0x00000001405E8000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/2908-6-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-12-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2908-7-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-8-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-1-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2908-9-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2908-10-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-5-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-11-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-15-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-16-0x0000000076E80000-0x0000000077029000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/2908-3-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-4-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-2-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download

    • memory/2908-0-0x000000013FA30000-0x0000000142E7C000-memory.dmp

      Filesize

      52.3MB

      Download