ba3d8fc30278371c610a3a787e0484b2099f8719c257c437646aeef898431b70

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Loader v2.2.2/Windows Loader.exe
Size

3.8MB
MD5

323c0fd51071400b51eedb1be90a8188
SHA1

0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256

2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512

4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e
SSDEEP

49152:cEYCFEvlmOmTgtFM3uK5m3imrHuiff+puWV355FXw/+zuWV355FXw/+DuWV355FP:cEYzEFTgtFM3ukm3imPnt

Score

8^/10

discovery exploit upx

Malware Config

Signatures

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
2848	icacls.exe
552	takeown.exe
1600	icacls.exe
544	takeown.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	Windows Loader.exe

Executes dropped EXE 1 IoCs

pid	Process
2136	bootsect.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
552	takeown.exe
1600	icacls.exe
544	takeown.exe
2848	icacls.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral7/memory/2532-0-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral7/memory/2532-65-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral7/memory/2532-68-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral7/memory/2532-78-0x0000000000400000-0x0000000000623000-memory.dmp	upx
behavioral7/memory/2532-80-0x0000000000400000-0x0000000000623000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bootsect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Windows Loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Windows Loader.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2532	Windows Loader.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2532	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	2532	Windows Loader.exe
Token: 33	2532	Windows Loader.exe
Token: SeIncBasePriorityPrivilege	2532	Windows Loader.exe
Token: SeTakeOwnershipPrivilege	552	takeown.exe
Token: SeTakeOwnershipPrivilege	544	takeown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	Windows Loader.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2436	2532	Windows Loader.exe	33
PID 2532 wrote to memory of 2436	2532	Windows Loader.exe	33
PID 2532 wrote to memory of 2436	2532	Windows Loader.exe	33
PID 2532 wrote to memory of 2436	2532	Windows Loader.exe	33
PID 2436 wrote to memory of 2856	2436	cmd.exe	35
PID 2436 wrote to memory of 2856	2436	cmd.exe	35
PID 2436 wrote to memory of 2856	2436	cmd.exe	35
PID 2436 wrote to memory of 2856	2436	cmd.exe	35
PID 2856 wrote to memory of 552	2856	cmd.exe	36
PID 2856 wrote to memory of 552	2856	cmd.exe	36
PID 2856 wrote to memory of 552	2856	cmd.exe	36
PID 2856 wrote to memory of 552	2856	cmd.exe	36
PID 2532 wrote to memory of 892	2532	Windows Loader.exe	37
PID 2532 wrote to memory of 892	2532	Windows Loader.exe	37
PID 2532 wrote to memory of 892	2532	Windows Loader.exe	37
PID 2532 wrote to memory of 892	2532	Windows Loader.exe	37
PID 892 wrote to memory of 1600	892	cmd.exe	39
PID 892 wrote to memory of 1600	892	cmd.exe	39
PID 892 wrote to memory of 1600	892	cmd.exe	39
PID 892 wrote to memory of 1600	892	cmd.exe	39
PID 2532 wrote to memory of 2816	2532	Windows Loader.exe	40
PID 2532 wrote to memory of 2816	2532	Windows Loader.exe	40
PID 2532 wrote to memory of 2816	2532	Windows Loader.exe	40
PID 2532 wrote to memory of 2816	2532	Windows Loader.exe	40
PID 2816 wrote to memory of 2964	2816	cmd.exe	42
PID 2816 wrote to memory of 2964	2816	cmd.exe	42
PID 2816 wrote to memory of 2964	2816	cmd.exe	42
PID 2816 wrote to memory of 2964	2816	cmd.exe	42
PID 2964 wrote to memory of 544	2964	cmd.exe	43
PID 2964 wrote to memory of 544	2964	cmd.exe	43
PID 2964 wrote to memory of 544	2964	cmd.exe	43
PID 2964 wrote to memory of 544	2964	cmd.exe	43
PID 2532 wrote to memory of 2660	2532	Windows Loader.exe	44
PID 2532 wrote to memory of 2660	2532	Windows Loader.exe	44
PID 2532 wrote to memory of 2660	2532	Windows Loader.exe	44
PID 2532 wrote to memory of 2660	2532	Windows Loader.exe	44
PID 2660 wrote to memory of 2848	2660	cmd.exe	46
PID 2660 wrote to memory of 2848	2660	cmd.exe	46
PID 2660 wrote to memory of 2848	2660	cmd.exe	46
PID 2660 wrote to memory of 2848	2660	cmd.exe	46
PID 2532 wrote to memory of 2936	2532	Windows Loader.exe	47
PID 2532 wrote to memory of 2936	2532	Windows Loader.exe	47
PID 2532 wrote to memory of 2936	2532	Windows Loader.exe	47
PID 2532 wrote to memory of 2936	2532	Windows Loader.exe	47
PID 2936 wrote to memory of 2352	2936	cmd.exe	49
PID 2936 wrote to memory of 2352	2936	cmd.exe	49
PID 2936 wrote to memory of 2352	2936	cmd.exe	49
PID 2532 wrote to memory of 1976	2532	Windows Loader.exe	50
PID 2532 wrote to memory of 1976	2532	Windows Loader.exe	50
PID 2532 wrote to memory of 1976	2532	Windows Loader.exe	50
PID 2532 wrote to memory of 1976	2532	Windows Loader.exe	50
PID 1976 wrote to memory of 1160	1976	cmd.exe	52
PID 1976 wrote to memory of 1160	1976	cmd.exe	52
PID 1976 wrote to memory of 1160	1976	cmd.exe	52
PID 2532 wrote to memory of 2236	2532	Windows Loader.exe	54
PID 2532 wrote to memory of 2236	2532	Windows Loader.exe	54
PID 2532 wrote to memory of 2236	2532	Windows Loader.exe	54
PID 2532 wrote to memory of 2236	2532	Windows Loader.exe	54
PID 2236 wrote to memory of 2112	2236	cmd.exe	56
PID 2236 wrote to memory of 2112	2236	cmd.exe	56
PID 2236 wrote to memory of 2112	2236	cmd.exe	56
PID 2236 wrote to memory of 2112	2236	cmd.exe	56
PID 2532 wrote to memory of 2264	2532	Windows Loader.exe	57
PID 2532 wrote to memory of 2264	2532	Windows Loader.exe	57

C:\Users\Admin\AppData\Local\Temp\Windows Loader v2.2.2\Windows Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Loader v2.2.2\Windows Loader.exe"
1⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f C:\ldrscan\bootwin
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\ldrscan\bootwin
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c takeown /f C:\ldrscan\bootwin
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\takeown.exe
      takeown /f C:\ldrscan\bootwin
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\icacls.exe
    icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:2848
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\System32\cscript.exe
    C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"
    3⤵
    PID:2352
- C:\Windows\system32\cmd.exe
  cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\cscript.exe
    C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2
    3⤵
    PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "compact /u \\?\Volume{c8aa3be3-69ed-11ef-97c9-806e6f6e6963}\JLFEC"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\compact.exe
    compact /u \\?\Volume{c8aa3be3-69ed-11ef-97c9-806e6f6e6963}\JLFEC
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\bootsect.exe
    C:\bootsect.exe /nt60 SYS /force
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Acer.XRM-MS

Filesize
2KB

MD5
f25832af6a684360950dbb15589de34a

SHA1
17ff1d21005c1695ae3dcbdc3435017c895fff5d

SHA256
266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f

SHA512
e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

Download Submit
C:\bootsect.exe

Filesize
95KB

MD5
d8584acd390e0a14d08c53a61166837c

SHA1
ba2decd7c12eaa060b6296aac1559c0527294df7

SHA256
b484614ce2e3f6e354c1328e96e14162c17bd67254eef621436e935d02efc30e

SHA512
5962d52b63093804549dd8d4531f464d232c6a244ea760e0f3e63284644629319c7377f3928a00c09f423dc0b2eaa12ef3ca0b69e00a7f40639b03a1c9574020

Download Submit
\??\Volume{c8aa3be3-69ed-11ef-97c9-806e6f6e6963}\JLFEC

Filesize
287KB

MD5
4f33dac799745943a36db4db00bb1f41

SHA1
9e85495efe4692cd2796f056562599d09366b3da

SHA256
de32eaaae28bb68780d045dd4f3d600ea454e4be67a30bbabba1a52b20cbd6c8

SHA512
f9ed9edcd9e0b8703208c82b4506fb813091afe631fbeb0d4e1a388c762d28b1f8fe24355cc19654d534270fa44bf265c89b81a40e32115ff3f128fb09744531

Download Submit
memory/2136-77-0x0000000001000000-0x000000000101B000-memory.dmp

Filesize
108KB

Download
memory/2532-9-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2532-38-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2532-22-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/2532-14-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2532-0-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2532-1-0x0000000000640000-0x0000000000653000-memory.dmp

Filesize
76KB

Download
memory/2532-65-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2532-30-0x0000000002000000-0x0000000002011000-memory.dmp

Filesize
68KB

Download
memory/2532-68-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2532-46-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/2532-54-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/2532-62-0x0000000002350000-0x00000000024F3000-memory.dmp

Filesize
1.6MB

Download
memory/2532-78-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download
memory/2532-80-0x0000000000400000-0x0000000000623000-memory.dmp

Filesize
2.1MB

Download