Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Wind0ws7l0aderV3.4875.exe

Overview

General Information

Sample name:Wind0ws7l0aderV3.4875.exe
Analysis ID:1391067
MD5:9631809ff9e66cc5809e51e2929dfbe8
SHA1:4ee1085393d94978fc17b1453517f0aa7f40b8a3
SHA256:c88140bcf066a56fb1d067ab538f7f7a9b39190b955ba370ffdf91cbcbf02583
Tags:exe
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Binary is likely a compiled AutoIt script file
Contains functionality to automate explorer (e.g. start an application)
Machine Learning detection for dropped file
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May use bcdedit to modify the Windows boot settings
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the product ID of Windows
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Wind0ws7l0aderV3.4875.exe (PID: 7520 cmdline: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe MD5: 9631809FF9E66CC5809E51E2929DFBE8)
    • WindowsLoader.exe (PID: 7536 cmdline: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe MD5: 323C0FD51071400B51EEDB1BE90A8188)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeReversingLabs: Detection: 66%
Source: Wind0ws7l0aderV3.4875.exeReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeJoe Sandbox ML: detected
Source: Wind0ws7l0aderV3.4875.exeJoe Sandbox ML: detected
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose,1_2_00DA5AE0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose,1_2_02696A40
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose,1_2_026B5B80
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose,1_2_026D52A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose,1_2_026F3FB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose,1_2_02703CC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose,1_2_02F9FAB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose,1_2_1000F790
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,1_2_0053A130
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0053A130 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,GlobalUnWire,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,GlobalAlloc,GlobalSize,GlobalFix,GlobalUnWire,SetClipboardData,1_2_0053A130
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_004159E0 GetTickCount,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,1_2_004159E0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_005586C0 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_005586C0

System Summary

barindex
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9caf6c5c-e
Source: Wind0ws7l0aderV3.4875.exe, 00000000.00000000.1620043589.0000000000794000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_57dc25a1-0
Source: Wind0ws7l0aderV3.4875.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_53f12a50-5
Source: Wind0ws7l0aderV3.4875.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"memstr_5d1a8329-6
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_005768491_2_00576849
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_005714271_2_00571427
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_005196C01_2_005196C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0040CEF01_2_0040CEF0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0051A7701_2_0051A770
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00519F001_2_00519F00
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00DA25F01_2_00DA25F0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026935501_2_02693550
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026B10E91_2_026B10E9
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026B25C01_2_026B25C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026F1C501_2_026F1C50
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026F13101_2_026F1310
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02F9BE901_2_02F9BE90
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02F921101_2_02F92110
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_10009C001_2_10009C00
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_100114A01_2_100114A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_10004DC01_2_10004DC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_1000DACB1_2_1000DACB
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_100087C01_2_100087C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0279321C1_2_0279321C
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0278901E1_2_0278901E
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0274A0FD1_2_0274A0FD
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_027494EF1_2_027494EF
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0274BA1A1_2_0274BA1A
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe 2F2ABA1E074F5F4BAA08B524875461889F8F04D4FFC43972AC212E286022AB94
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 02F974B0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 004AB970 appears 76 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 004F1FC0 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 10001000 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 004F1F50 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 005253E0 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: String function: 004C9900 appears 41 times
Source: WindowsLoader.exe.0.drStatic PE information: Resource name: RT_CURSOR type: Microsoft a.out overlay pure segmented standalone word-swapped not-stripped pre-SysV V3.0 386 small model executable not stripped
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: riched32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: windows.globalization.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: bcp47mrm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: globinputhost.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSection loaded: wintypes.dllJump to behavior
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: WindowsLoader.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9983461850649351
Source: WindowsLoader.exe.0.drBinary string: \ArcName\multi(0)disk(0)rdisk(1)\ArcName\multi(0)disk(0)rdisk(0)multi(%d)disk(%d)rdisk(%d)FirmwareBootDevice\Registry\Machine\SYSTEM\CurrentControlSet\Control%s\Partition%lu\Partition0SystemPartition\Registry\Machine\SYSTEM\CurrentControlSet\Control\Syspart\Device\Harddisk%lu\Partition%luMININTSystemStartOptions%s%s\ArcName\multi(%d)disk(%d)rdisk(%d)partition(%d)
Source: classification engineClassification label: mal80.evad.winEXE@3/2@0/0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00DA1462 CoInitialize,CoCreateInstance,1_2_00DA1462
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeMutant created: \Sessions\1\BaseNamedObjects\WIN7LDRMU
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeFile created: C:\Users\user\AppData\Local\Temp\aut2507.tmpJump to behavior
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Wind0ws7l0aderV3.4875.exeReversingLabs: Detection: 63%
Source: unknownProcess created: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exe
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exe
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeProcess created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exe C:\Users\user\AppData\Local\Temp\WindowsLoader.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeWindow found: window name: SysTabControl32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeFile opened: C:\Windows\SysWOW64\RICHED32.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Wind0ws7l0aderV3.4875.exeStatic file information: File size 4612608 > 1048576
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x39da00
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdbt[ source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: c:\RB\REALbasic\REALbasic Visual Studio\REALbasic\release\X86RunHoudini.pdb source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmp
Source: Binary string: bootsect.pdb source: WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000002.2876690440.00000000028ED000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.dr
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Wind0ws7l0aderV3.4875.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress,1_2_0044E350
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00568521 push ecx; ret 1_2_00568534
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_100179F0 push eax; ret 1_2_10017BE1
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeFile created: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeJump to dropped file
Source: WindowsLoader.exe.0.drBinary or memory string: bcdedit.exe
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00482F50 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CoInitialize,1_2_00482F50
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.drBinary or memory string: SBIEDLL.DLL
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDateJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-614
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeAPI coverage: 7.0 %
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeAPI coverage: 4.0 %
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Product from Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00DA5AE0 FindFirstFileA,FindNextFileA,FindClose,1_2_00DA5AE0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02696A40 FindFirstFileA,FindNextFileA,FindClose,1_2_02696A40
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026B5B80 FindFirstFileA,FindNextFileA,FindClose,1_2_026B5B80
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026D52A0 FindFirstFileA,FindNextFileA,FindClose,1_2_026D52A0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_026F3FB0 FindFirstFileA,FindNextFileA,FindClose,1_2_026F3FB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02703CC0 FindFirstFileA,FindNextFileA,FindClose,1_2_02703CC0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_02F9FAB0 FindFirstFileA,FindNextFileA,FindClose,1_2_02F9FAB0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_1000F790 FindFirstFileA,FindNextFileA,FindClose,1_2_1000F790
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.drBinary or memory string: Created encrypted hyper-v loader
Source: WindowsLoader.exe, 00000001.00000002.2875761773.00000000008CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeAPI call chain: ExitProcess graph end nodegraph_1-79313
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeAPI call chain: ExitProcess graph end nodegraph_1-80220
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeAPI call chain: ExitProcess graph end nodegraph_1-79453
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeCode function: 0_2_00715A39 IsDebuggerPresent,0_2_00715A39
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeCode function: 0_2_00715BFC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00715BFC
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0044E350 LoadLibraryA,GetProcAddress,GetLongPathNameW,GetProcAddress,1_2_0044E350
Source: C:\Users\user\Desktop\Wind0ws7l0aderV3.4875.exeCode function: 0_2_0070A2D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0070A2D5
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00566120 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00566120
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_005662C8 _malloc,std::exception::exception,__CxxThrowException@8,__set_abort_behavior,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_005662C8
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_0056AB47 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0056AB47

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow,1_2_004D91C0
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_004D91C0 FindWindowW,FindWindowA,ShowWindow,GetActiveWindow,GetMenu,GetMenu,GetSystemMetrics,GetMenu,SetMenu,SendMessageA,GetWindowLongA,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetWindowLongA,GetWindowRect,MoveWindow,1_2_004D91C0
Source: Wind0ws7l0aderV3.4875.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: WindowsLoader.exe, 00000001.00000002.2876006832.0000000000C40000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe, 00000001.00000003.1639897139.000000000509C000.00000004.00000020.00020000.00000000.sdmp, WindowsLoader.exe.0.drBinary or memory string: Shell_TrayWnd
Source: WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: uMmenuShutdownSHELL_TRAYWNDSHELL_TRAYWND
Source: WindowsLoader.exe, WindowsLoader.exe, 00000001.00000002.2875348989.0000000000401000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: SHELL_TRAYWND
Source: C:\Users\user\AppData\Local\Temp\WindowsLoader.exeCode function: 1_2_00DA5770 cpuid 1_2_00DA5770