85a8fb1a3141fdca3588330bd8945a8775af26f0a145ed61e68bcd351915b25a

General

Target

loader.exe
Size

18.8MB
MD5

8bba02b9071196c8b1681eb086e699b3
SHA1

adc78b8c976c3e9f52f57c760b3047e3c91fb389
SHA256

85a8fb1a3141fdca3588330bd8945a8775af26f0a145ed61e68bcd351915b25a
SHA512

06aa6c03a256489039276ee091ef346112ad7a225b97fac803f8288f927a65fc68d7f3421c3e8bf9d82236d6805688d40a5ba5bce2ea61821867edccebbc3436
SSDEEP

393216:MxsYJZy/ER2j9dkgZ3lNQdTVng6//XWIDCF/BilP+U7AY5zE3qsw5:MxDy/ZrQFVnZ3XWQCNBil2U7AY5zEu

Score

9^/10

evasion persistence privilege_escalation themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

loader.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ loader.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	loader.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/392-1-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-0-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-2-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-3-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-5-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-6-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-7-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-8-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-10-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-16-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

loader.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA loader.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

loader.exe

pid process

392 loader.exe
392 loader.exe
392 loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

pid	process
392	loader.exe
392	loader.exe
392	loader.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1972 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

748 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2008 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2008 taskkill.exe

pid	process
1972	timeout.exe

pid	process
748	ipconfig.exe

pid	process
2008	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2008	taskkill.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 392 wrote to memory of 2896	392	loader.exe	cmd.exe
PID 392 wrote to memory of 2896	392	loader.exe	cmd.exe
PID 2896 wrote to memory of 748	2896	cmd.exe	ipconfig.exe
PID 2896 wrote to memory of 748	2896	cmd.exe	ipconfig.exe
PID 392 wrote to memory of 2960	392	loader.exe	cmd.exe
PID 392 wrote to memory of 2960	392	loader.exe	cmd.exe
PID 2960 wrote to memory of 1760	2960	cmd.exe	netsh.exe
PID 2960 wrote to memory of 1760	2960	cmd.exe	netsh.exe
PID 392 wrote to memory of 4720	392	loader.exe	cmd.exe
PID 392 wrote to memory of 4720	392	loader.exe	cmd.exe
PID 4720 wrote to memory of 3292	4720	cmd.exe	certutil.exe
PID 4720 wrote to memory of 3292	4720	cmd.exe	certutil.exe
PID 392 wrote to memory of 3512	392	loader.exe	cmd.exe
PID 392 wrote to memory of 3512	392	loader.exe	cmd.exe
PID 3512 wrote to memory of 2308	3512	cmd.exe	netsh.exe
PID 3512 wrote to memory of 2308	3512	cmd.exe	netsh.exe
PID 392 wrote to memory of 816	392	loader.exe	cmd.exe
PID 392 wrote to memory of 816	392	loader.exe	cmd.exe
PID 816 wrote to memory of 3968	816	cmd.exe	netsh.exe
PID 816 wrote to memory of 3968	816	cmd.exe	netsh.exe
PID 392 wrote to memory of 4588	392	loader.exe	cmd.exe
PID 392 wrote to memory of 4588	392	loader.exe	cmd.exe
PID 4588 wrote to memory of 2604	4588	cmd.exe	netsh.exe
PID 4588 wrote to memory of 2604	4588	cmd.exe	netsh.exe
PID 392 wrote to memory of 3144	392	loader.exe	cmd.exe
PID 392 wrote to memory of 3144	392	loader.exe	cmd.exe
PID 3144 wrote to memory of 1652	3144	cmd.exe	netsh.exe
PID 3144 wrote to memory of 1652	3144	cmd.exe	netsh.exe
PID 392 wrote to memory of 3304	392	loader.exe	cmd.exe
PID 392 wrote to memory of 3304	392	loader.exe	cmd.exe
PID 3304 wrote to memory of 1972	3304	cmd.exe	timeout.exe
PID 3304 wrote to memory of 1972	3304	cmd.exe	timeout.exe
PID 3304 wrote to memory of 2008	3304	cmd.exe	taskkill.exe
PID 3304 wrote to memory of 2008	3304	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\system32\cmd.exe
  /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:748
- C:\Windows\system32\cmd.exe
  /c netsh interface ip delete arpcache
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\netsh.exe
    netsh interface ip delete arpcache
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1760
- C:\Windows\system32\cmd.exe
  /c certutil -URLCache * delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\certutil.exe
    certutil -URLCache * delete
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  /c netsh int ip reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2308
- C:\Windows\system32\cmd.exe
  /c netsh int ipv4 reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3968
- C:\Windows\system32\cmd.exe
  /c netsh int ipv6 reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2604
- C:\Windows\system32\cmd.exe
  /c netsh winsock reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 1 /NOBREAK > Nul & taskkill /F /IM "loader.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\system32\timeout.exe
    timeout /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "loader.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

5

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-1-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-4-0x00007FFDF0E50000-0x00007FFDF0E52000-memory.dmp

Filesize
8KB

Download
memory/392-0-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-2-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-3-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-5-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-6-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-7-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-8-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-9-0x00007FFDF0DB0000-0x00007FFDF0FA5000-memory.dmp

Filesize
2.0MB

Download
memory/392-10-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-13-0x00007FFDF0DB0000-0x00007FFDF0FA5000-memory.dmp

Filesize
2.0MB

Download
memory/392-17-0x00007FFDF0DB0000-0x00007FFDF0FA5000-memory.dmp

Filesize
2.0MB

Download
memory/392-16-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads