85a8fb1a3141fdca3588330bd8945a8775af26f0a145ed61e68bcd351915b25a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

18.8MB
MD5

8bba02b9071196c8b1681eb086e699b3
SHA1

adc78b8c976c3e9f52f57c760b3047e3c91fb389
SHA256

85a8fb1a3141fdca3588330bd8945a8775af26f0a145ed61e68bcd351915b25a
SHA512

06aa6c03a256489039276ee091ef346112ad7a225b97fac803f8288f927a65fc68d7f3421c3e8bf9d82236d6805688d40a5ba5bce2ea61821867edccebbc3436
SSDEEP

393216:MxsYJZy/ER2j9dkgZ3lNQdTVng6//XWIDCF/BilP+U7AY5zE3qsw5:MxDy/ZrQFVnZ3XWQCNBil2U7AY5zEu

Score

9^/10

evasion persistence privilege_escalation themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	loader.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	loader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	loader.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/392-1-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-0-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-2-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-3-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-5-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-6-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-7-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-8-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-10-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida
behavioral2/memory/392-16-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	loader.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
392	loader.exe
392	loader.exe
392	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1972	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
748	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2008	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	taskkill.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 392 wrote to memory of 2896	392	loader.exe	93
PID 392 wrote to memory of 2896	392	loader.exe	93
PID 2896 wrote to memory of 748	2896	cmd.exe	95
PID 2896 wrote to memory of 748	2896	cmd.exe	95
PID 392 wrote to memory of 2960	392	loader.exe	96
PID 392 wrote to memory of 2960	392	loader.exe	96
PID 2960 wrote to memory of 1760	2960	cmd.exe	98
PID 2960 wrote to memory of 1760	2960	cmd.exe	98
PID 392 wrote to memory of 4720	392	loader.exe	99
PID 392 wrote to memory of 4720	392	loader.exe	99
PID 4720 wrote to memory of 3292	4720	cmd.exe	101
PID 4720 wrote to memory of 3292	4720	cmd.exe	101
PID 392 wrote to memory of 3512	392	loader.exe	102
PID 392 wrote to memory of 3512	392	loader.exe	102
PID 3512 wrote to memory of 2308	3512	cmd.exe	104
PID 3512 wrote to memory of 2308	3512	cmd.exe	104
PID 392 wrote to memory of 816	392	loader.exe	105
PID 392 wrote to memory of 816	392	loader.exe	105
PID 816 wrote to memory of 3968	816	cmd.exe	107
PID 816 wrote to memory of 3968	816	cmd.exe	107
PID 392 wrote to memory of 4588	392	loader.exe	108
PID 392 wrote to memory of 4588	392	loader.exe	108
PID 4588 wrote to memory of 2604	4588	cmd.exe	110
PID 4588 wrote to memory of 2604	4588	cmd.exe	110
PID 392 wrote to memory of 3144	392	loader.exe	111
PID 392 wrote to memory of 3144	392	loader.exe	111
PID 3144 wrote to memory of 1652	3144	cmd.exe	113
PID 3144 wrote to memory of 1652	3144	cmd.exe	113
PID 392 wrote to memory of 3304	392	loader.exe	118
PID 392 wrote to memory of 3304	392	loader.exe	118
PID 3304 wrote to memory of 1972	3304	cmd.exe	120
PID 3304 wrote to memory of 1972	3304	cmd.exe	120
PID 3304 wrote to memory of 2008	3304	cmd.exe	121
PID 3304 wrote to memory of 2008	3304	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:392
- C:\Windows\system32\cmd.exe
  /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:748
- C:\Windows\system32\cmd.exe
  /c netsh interface ip delete arpcache
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\system32\netsh.exe
    netsh interface ip delete arpcache
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1760
- C:\Windows\system32\cmd.exe
  /c certutil -URLCache * delete
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\certutil.exe
    certutil -URLCache * delete
    3⤵
    PID:3292
- C:\Windows\system32\cmd.exe
  /c netsh int ip reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\netsh.exe
    netsh int ip reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2308
- C:\Windows\system32\cmd.exe
  /c netsh int ipv4 reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\system32\netsh.exe
    netsh int ipv4 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3968
- C:\Windows\system32\cmd.exe
  /c netsh int ipv6 reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\netsh.exe
    netsh int ipv6 reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2604
- C:\Windows\system32\cmd.exe
  /c netsh winsock reset
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\system32\netsh.exe
    netsh winsock reset
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C timeout /T 1 /NOBREAK > Nul & taskkill /F /IM "loader.exe" & Del /f /q "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\system32\timeout.exe
    timeout /T 1 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:1972
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM "loader.exe"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-1-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-4-0x00007FFDF0E50000-0x00007FFDF0E52000-memory.dmp

Filesize
8KB

Download
memory/392-0-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-2-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-3-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-5-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-6-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-7-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-8-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-9-0x00007FFDF0DB0000-0x00007FFDF0FA5000-memory.dmp

Filesize
2.0MB

Download
memory/392-10-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download
memory/392-13-0x00007FFDF0DB0000-0x00007FFDF0FA5000-memory.dmp

Filesize
2.0MB

Download
memory/392-17-0x00007FFDF0DB0000-0x00007FFDF0FA5000-memory.dmp

Filesize
2.0MB

Download
memory/392-16-0x00007FF73AE90000-0x00007FF73E2DC000-memory.dmp

Filesize
52.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads