Windows Analysis Report
Wind0ws7l0aderV3.4875.exe

Overview

General Information

Sample name: Wind0ws7l0aderV3.4875.exe
Analysis ID: 1391067
MD5: 9631809ff9e66cc5809e51e2929dfbe8
SHA1: 4ee1085393d94978fc17b1453517f0aa7f40b8a3
SHA256: c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583
Tags: exe
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Contains functionality to automate explorer (e.g. start an application)
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May use bcdedit to modify the Windows boot settings
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the product ID of Windows
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe ReversingLabs: Detection: 66%
Multi AV Scanner detection for submitted file
Source: Wind0ws7l0aderV3.4875.exe ReversingLabs: Detection: 63%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Wind0ws7l0aderV3.4875.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Wind0ws7l0aderV3.4875.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose, 1_2_00DA5AE0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose, 1_2_02696A40
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose, 1_2_026B5B80
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose, 1_2_026D52A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose, 1_2_026F3FB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose, 1_2_02703CC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose, 1_2_02F9FAB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose, 1_2_1000F790
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData, 1_2_0053A130
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData, 1_2_0053A130
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_004159E0 GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount, 1_2_004159E0
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_005586C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 1_2_005586C0

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9caf6c5c-e
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_57dc25a1-0
Source: Wind0ws7l0aderV3.4875.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_53f12a50-5
Source: Wind0ws7l0aderV3.4875.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer" memstr_5d1a8329-6
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00576849 1_2_00576849
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00571427 1_2_00571427
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_005196C0 1_2_005196C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0040CEF0 1_2_0040CEF0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0051A770 1_2_0051A770
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00519F00 1_2_00519F00
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00DA25F0 1_2_00DA25F0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02693550 1_2_02693550
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026B10E9 1_2_026B10E9
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026B25C0 1_2_026B25C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026F1C50 1_2_026F1C50
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026F1310 1_2_026F1310
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02F9BE90 1_2_02F9BE90
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02F92110 1_2_02F92110
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_10009C00 1_2_10009C00
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_100114A0 1_2_100114A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_10004DC0 1_2_10004DC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_1000DACB 1_2_1000DACB
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_100087C0 1_2_100087C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0279321C 1_2_0279321C
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0278901E 1_2_0278901E
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0274A0FD 1_2_0274A0FD
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_027494EF 1_2_027494EF
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0274BA1A 1_2_0274BA1A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe 2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 02F974B0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 004AB970 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 004F1FC0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 10001000 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 004F1F50 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 005253E0 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: String function: 004C9900 appears 41 times
PE file contains executable resources (Code or Archives)
Source: WindowsLoader.exe.0.dr Static PE information: Resource name: RT_CURSOR type: Microsoft a.out overlay pure segmented standalone word-swapped not-stripped pre-SysV V3.0 386 small model executable not stripped
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: globinputhost.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Section loaded: wintypes.dll Jump to behavior
Uses 32bit PE files
Source: Wind0ws7l0aderV3.4875.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: WindowsLoader.exe.0.dr Static PE information: Section: UPX1 ZLIB complexity 0.9983461850649351
Source: WindowsLoader.exe.0.dr Binary string: \ArcName\multi(0)disk(0)rdisk(1)\ArcName\multi(0)disk(0)rdisk(0)multi(%d)disk(%d)rdisk(%d)FirmwareBootDevice\Registry\Machine\SYSTEM\CurrentControlSet\Control%s\Partition%lu\Partition0SystemPartition\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart\Device\Harddisk%lu\Partition%luMININTSystemStartOptions%s%s\ArcName\multi(%d)disk(%d)rdisk(%d)partition(%d)
Source: classification engine Classification label: mal80.evad.winEXE@3/2@0/0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00DA1462 CoInitialize,CoCreateInstance, 1_2_00DA1462
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Mutant created: \Sessions\1\BaseNamedObjects\WIN7LDRMU
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe File created: C:\Users\user\AppData\Local\Temp\aut2507.tmp Jump to behavior
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Wind0ws7l0aderV3.4875.exe ReversingLabs: Detection: 63%
Source: unknown Process created: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Process created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Process created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Window found: window name: SysTabControl32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Wind0ws7l0aderV3.4875.exe Static file information: File size 4612608 > 1048576
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x39da00
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Wind0ws7l0aderV3.4875.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wind0ws7l0aderV3.4875.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress, 1_2_0044E350
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00568521 push ecx; ret 1_2_00568534
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_100179F0 push eax; ret 1_2_10017BE1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe File created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Jump to dropped file
May use bcdedit to modify the Windows boot settings
Source: WindowsLoader.exe.0.dr Binary or memory string: bcdedit.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00482F50 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize, 1_2_00482F50
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe API coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe API coverage: 4.0 %
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Product from Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose, 1_2_00DA5AE0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose, 1_2_02696A40
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose, 1_2_026B5B80
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose, 1_2_026D52A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose, 1_2_026F3FB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose, 1_2_02703CC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose, 1_2_02F9FAB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose, 1_2_1000F790
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr Binary or memory string: Created encrypted hyper-v loader
Source: WindowsLoader.exe, 00000001.00000002.2875761773.00000000008CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Code function: 0_2_00715A39 IsDebuggerPresent, 0_2_00715A39
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Code function: 0_2_00715BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00715BFC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress, 1_2_0044E350
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Code function: 0_2_0070A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0070A2D5
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00566120 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00566120
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_005662C8 _malloc,std::exception::exception,__CxxThrowException@8,__set_abort_behavior,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_005662C8
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_0056AB47 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0056AB47

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow, 1_2_004D91C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow, 1_2_004D91C0
Source: Wind0ws7l0aderV3.4875.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr Binary or memory string: Shell_TrayWnd
Source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: uMmenuShutdownSHELL_TRAYWNDSHELL_TRAYWND
Source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: SHELL_TRAYWND
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_00DA5770 cpuid 1_2_00DA5770
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: GetLocaleInfoA, 1_2_00423190
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: _memset,GetDateFormatA,GetDateFormatA,GetLocaleInfoA,GetDateFormatA,GetTimeFormatA,GetTimeFormatA, 1_2_00423A10
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: _strnlen,GetLocaleInfoA,___crtLCMapStringA,_malloc,___crtLCMapStringA,_strcpy_s, 1_2_00566A3E
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,_strupr_s_l_stat, 1_2_00566BBA
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: GetLocaleInfoA,RtlInitializeCriticalSection,RtlEnterCriticalSection,RtlLeaveCriticalSection, 1_2_00409C60
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: GetUserDefaultLCID,GetLocaleInfoA,TranslateCharsetInfo, 1_2_0041A740
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA, 1_2_00422FA0
Queries the product ID of Windows
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe Code function: 0_2_00715007 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00715007
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_004236B0 _swprintf,MessageBoxA,ExitProcess,LoadLibraryA,GetProcAddress,_memset,_memset,GetTimeZoneInformation, 1_2_004236B0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: 1_2_005650F0 _memset,GetVersionExA,GetVersionExA,GetVersionExA, 1_2_005650F0
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe Code function: cmd.exe /A /C " 1_2_026D12D0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1391067 Sample: Wind0ws7l0aderV3.4875.exe Startdate: 12/02/2024 Architecture: WINDOWS Score: 80 15 Multi AV Scanner detection for submitted file 2->15 17 Binary is likely a compiled AutoIt script file 2->17 19 Machine Learning detection for sample 2->19 6 Wind0ws7l0aderV3.4875.exe 2 2->6         started        process3 file4 13 C:\Users\user\AppData\...\WindowsLoader.exe, PE32 6->13 dropped 21 Binary is likely a compiled AutoIt script file 6->21 10 WindowsLoader.exe 1 6->10         started        signatures5 process6 signatures7 23 Multi AV Scanner detection for dropped file 10->23 25 Query firmware table information (likely to detect VMs) 10->25 27 Machine Learning detection for dropped file 10->27 29 2 other signatures 10->29
No contacted IP infos